Data Protection Policy
This Policy sets out the obligations of Moximed, Inc. a Delaware Corporation, whose registered office is located at 46602 Landing Parkway, Fremont, CA 94538 (“the Company”) regarding data protection and the rights of investors, employees, contractors, customers, vendors, and other business contacts (“data subjects”) in respect to their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations as a Data Collector regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
2 The Rights of Data Subjects
2.1 As a Data Subject you have rights under the GDPR. These rights can be seen below. The Company will always fully respect your rights regarding the processing of your personal data, and has provided below the details of the person to contact if you have any concerns or questions regarding how we process your data, or if you wish to exercise any rights you have under the GDPR.
The identity and contact detail for the Data Protection Officer within Moximed, Inc. is:
Christine Barcelos – Vice President, Corporate Operations
46602 Landing Parkway
Fremont, CA 945438
3 The Data Protection Principles
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply:
3.1 The Company processes personal data lawfully, fairly and in a transparent manner;
3.2 The Company collects personal data only for specified, explicit and legitimate purposes;
3.3 The Company processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
3.4 The Company keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
3.5 The Company keeps personal data only for the period necessary for processing; and
3.6 The Company adopts appropriate measures to make sure that personal data is secure, and protected against unauthorized or unlawful processing, and accidental loss, destruction or damage
4 Lawful and Transparent Data Processing
4.1 The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:
a) The data subject has given consent to the processing of their personal data for one or more specific purposes;
b) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;
c) The processing is necessary for compliance with a legal obligation to which the data controller is subject;
d) The processing is necessary to protect the vital interests of the data subject or of another natural person;
e) The Company will not use personal data for any monitoring or profiling activity
5 Specified, Explicit, and Legitimate Purposes
5.1 The Company only collects, processes, and holds personal data for the specific purposes and other purposes expressly permitted by the GDPR.
5.2 Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data.
6 Data Retention
6.1 The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
6.2 When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
a) It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
b) The data subject wishes to withdraw their consent to the Company holding and processing their personal data;
c) The data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so).
d) The personal data has been processed unlawfully;
e) The personal data needs to be erased in order for the Company to comply with a particular legal obligation.
f) Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure.
g) In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
7 Secure Processing, Accountability and Record Keeping
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
7.1 The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
a) The name and details of the Company and any applicable third- party data processors;
b) The purposes for which the Company collects, holds, and processes personal data;
c) Detailed descriptions of all technical and organizational measures taken by the Company to ensure the security of personal data.
8 Data Security – Transferring Personal Data and Communications
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
8.1 All emails containing personal data are not permitted. Rather data should be kept in a password protected share file with access granted to only those deemed necessary.
8.2 Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable.
8.3 Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission.
8.4 All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential” and sent via a reputable courier service that provides adequate tracking capabilities.
9 Transfer to Third Parties (“Processors”)
Due to the nature of the Company’s business, in many cases it will be necessary to process personal data via a third party Processor (these will include but are not limited to CROs, Logistics Company’s, payroll services, insurance agents, etc.).
9.1 Personal Data shall only be transferred to, or processed by, third party companies where such companies are necessary for the fulfilment of the travel arrangements.
9.2 Personal Data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognized by the EU as having an adequate level of Data Security, or is made with the consent of the Data Subject, or is made to satisfy the Legitimate Interest of the Company with regards to its contractual arrangements..
9.3 All transfers of Personal Data to Processors shall be subject to written agreements for internal Data transfers which are based on Standard Contractual Clauses recognized by the European Data Protection Authority.
10 Data Security – Storage and Disposal
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
10.1 All electronic copies of personal data should be stored securely using passwords
10.2 All hardcopies of personal data, along with any electronic copies stored on removable media should be stored securely in a locked box, drawer, cabinet, or similar;
10.3 All personal data that is stored electronically within the Moximed domain is automatically backed up on a daily basis and stored securely.
10.4 No personal data should be transferred to any device personally belonging to an employee, contractor or agent of the Company.
10.5 When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
11 Data Security – IT Security
The Company shall ensure that the following measures are taken with respect to IT and information security:
11.1 All computers used to store personal data must be password protected and this password must not be shared with non-company staff or contractors.
11.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.
11.3 All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security- related updates as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and
11.4 No software may be installed on any Company-owned computer or device without the prior approval of the Vice President of Corporate Affairs.
12 Company Responsibilities
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
12.1 All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy in the Company compliance manual;
12.2 Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
12.3 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
12.4 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
12.5 Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
12.6 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
12.7 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
12.8 All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and
12.9 Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
13 Data Breach Notification
13.1 All personal data breaches must be reported immediately to the Vice President of Corporate Operations, who will then report to the CEO.
13.2 In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company must ensure that all affected data subjects are informed of the breach directly and without undue delay.
13.3 Data breach notifications shall include the following information:
a) The categories and approximate number of data subjects concerned;
b) The categories and approximate number of personal data records concerned;
C) The likely consequences of the breach;
d) Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
14 Entire Policy
This Policy shall be deemed effective as of May 25, 2018. No part of this Policy shall have retroactive effect and shall apply only to matters occurring on or after this date.
This Policy has been approved and authorized by:
Anton Clifford, PhD
Date: May 24, 2018
Appendix – Definitions of certain terms:
(Article 4 of the GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4 of the GDPR): means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
Legal Basis for Processing:
(Article 6 of the GDPR): At least one of these must apply whenever personal data is processed:
Consent: the individual has given clear consent for the processing of their personal data for a specific purpose.
Contract: the processing is necessary for compliance with a contract.
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests of the Data Controller unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.
(Article 4 of the GDPR): A processor is responsible for processing personal data on behalf of a Controller.