DATA PROTECTION POLICY
This Policy sets out the obligations of Moximed, Inc. a Delaware Corporation, whose registered office is located at 46602 Landing Parkway, Fremont, CA 94538 (“the Company”) regarding data protection and the rights of investors, employees, contractors, customers, vendors, and other business contacts (“data subjects”) in respect to their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations as a Data Collector regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
2.1 As a Data Subject you have rights under the GDPR. These rights can be seen below. The Company will always fully respect your rights regarding the processing of your personal data, and has provided below the details of the person to contact if you have any concerns or questions regarding how we process your data, or if you wish to exercise any rights you have under the GDPR.
The identity and contact detail for the Data Protection Officer within Moximed, Inc. is:
Christine Barcelos – Vice President, Corporate Operations
46602 Landing Parkway
Fremont, CA 945438
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply:
3.1 The Company processes personal data lawfully, fairly and in a transparent manner;
3.2 The Company collects personal data only for specified, explicit and legitimate purposes;
3.3 The Company processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
3.4 The Company keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
3.5 The Company keeps personal data only for the period necessary for processing; and
3.6 The Company adopts appropriate measures to make sure that personal data is secure, and protected against unauthorized or unlawful processing, and accidental loss, destruction or damage
4.1 The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:
5.1 The Company only collects, processes, and holds personal data for the specific purposes and other purposes expressly permitted by the GDPR.
5.2 Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data.
6.1 The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
6.2 When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
7.1 The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
8.1 All emails containing personal data are not permitted. Rather data should be kept in a password protected share file with access granted to only those deemed necessary.
8.2 Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable.
8.3 Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission.
8.4 All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential” and sent via a reputable courier service that provides adequate tracking capabilities.
Due to the nature of the Company’s business, in many cases it will be necessary to process personal data via a third party Processor (these will include but are not limited to CROs, Logistics Company’s, payroll services, insurance agents, etc.).
9.1 Personal Data shall only be transferred to, or processed by, third party companies where such companies are necessary for the fulfilment of the travel arrangements.
9.2 Personal Data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognized by the EU as having an adequate level of Data Security, or is made with the consent of the Data Subject, or is made to satisfy the Legitimate Interest of the Company with regards to its contractual arrangements..
9.3 All transfers of Personal Data to Processors shall be subject to written agreements for internal Data transfers which are based on Standard Contractual Clauses recognized by the European Data Protection Authority.
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
10.1 All electronic copies of personal data should be stored securely using passwords
10.2 All hardcopies of personal data, along with any electronic copies stored on removable media should be stored securely in a locked box, drawer, cabinet, or similar;
10.3 All personal data that is stored electronically within the Moximed domain is automatically backed up on a daily basis and stored securely.
10.4 No personal data should be transferred to any device personally belonging to an employee, contractor or agent of the Company.
10.5 When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
The Company shall ensure that the following measures are taken with respect to IT and information security:
11.1 All computers used to store personal data must be password protected and this password must not be shared with non-company staff or contractors.
11.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.
11.3 All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security- related updates as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and
11.4 No software may be installed on any Company-owned computer or device without the prior approval of the Vice President of Corporate Affairs.
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
12.1 All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy in the Company compliance manual;
12.2 Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
12.3 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
12.4 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
12.5 Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
12.6 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
12.7 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
12.8 All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and
12.9 Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
13.1 All personal data breaches must be reported immediately to the Vice President of Corporate Operations, who will then report to the CEO.
13.2 In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company must ensure that all affected data subjects are informed of the breach directly and without undue delay.
13.3 Data breach notifications shall include the following information:
This Policy shall be deemed effective as of May 25, 2018. No part of this Policy shall have retroactive effect and shall apply only to matters occurring on or after this date.
This Policy has been approved and authorized by:
Anton Clifford, PhD
Date: May 24, 2018
Appendix – Definitions of certain terms:
(Article 4 of the GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4 of the GDPR): means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
Legal Basis for Processing:
(Article 6 of the GDPR): At least one of these must apply whenever personal data is processed:
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.
(Article 4 of the GDPR): A processor is responsible for processing personal data on behalf of a Controller.
©2015 Moximed Inc. All rights reserved.
CAUTION — Investigational Device. Limited by US Law to Investigational Use.