Last updated: July 2021
Identity and contact details of the data controller
SynOx Therapeutics Limited is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
The data controller in accordance with data protection regulations (including the United Kingdom General Data Protection Regulation (UK GDPR), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018, as well as any legally enforceable data protection regulations applicable to its clinical study patients or other data subjects in force from time to time) is:
SynOx Therapeutics Limited
25-28 North Wall Quay
Email: [email protected]
Contact details of the data protection officer
You can reach our data protection officer as follows:
John Eccles House
Robert Robinson Avenue
Oxford Science Park
Email: [email protected]
General information on data processing
- in relation to our clinical trial activities
- for the functionality of our website
- via cookies
- via our social media presence
- during recruitment
- as part of our vendor management processes
- as a result of your communications or interactions with the company
A separate privacy statement regarding our collection of personal information in relation to employees, workers and contractors is distributed internally and detailed on the SynOx Therapeutics BrightHR portal or by emailing [email protected].
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
- The processing of personal data only takes place with the consent of the data subject (being the clinical trial patient) and where the processing of the data is permitted by law.
Lawful basis for processing data
The lawful basis for collecting your personal information will depend on the personal information concerned and the specific context in which we collect it. Unless otherwise stated, we will normally collect personal information from you where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms.
In some limited cases, it may be necessary for us to process personal information and, where appropriate and in accordance with local laws and requirements, sensitive information, in connection with exercising or defending legal claims.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Duration of processing
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We will retain information we collect from you where we have an ongoing legitimate business need to do so.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
How we share your data
We may share your information with any competent law enforcement body, regulatory or government agency, court or other third party where we believe disclosure is necessary as a matter of applicable law or regulation; to exercise, establish, or defend our legal rights; or to protect your vital interests or those of any other person.
We may disclose your personal information to any member of our group.
We may also share your information with third party service providers, where necessary for processing your data in accordance with the lawful purpose for which we collected it or where we have another legitimate interest for doing so.
Rights of the data subject
If you wish to access, correct, update or request deletion of your personal interest, you can do so at any time.
You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
If we have collected your personal information with your consent, then you can withdraw your consent at any time.
We have appointed a data protection officer (“DPO”) who has responsibility to oversee compliance with this Privacy Statement. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at the contact details below. You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority, or to a supervisory authority in the country of your residence or place of alleged infringement.
How we keep your data secure
We do all that we can to secure your privacy. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so. If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the DPO. You should preserve all evidence relating to the potential Personal Data Breach.
Clinical trial activities
In order to research the safety and efficacy of emactuzumab, a CSF1R therapeutic antibody, SynOx Therapeutics needs to conduct clinical trials, and report these to applicable government authorities such as the UK Medicines and Healthcare products Regulatory Agency (MHRA).
Clinical trials involve the collection and processing of health-related personal data such as clinical examinations, laboratory results, ECGs, and CT scan images, for example.
SynOx Therapeutics will not collect any information which immediately identifies a clinical trial patient. Data will be assigned a sequential anonymous code number for analysis purposes. Basic demographics such as year of age, sex, height, weight, and disease diagnosis will be recorded however. The only institution with immediate access to identifiable personal data will be the clinic at which you as the trial patient are being cared for.
At the end of the study, the anonymised data will be grouped with that from other study patients into electronic datasets, and statistically analysed to evaluate the safety and /or effectiveness of the treatment. These results will then be written into a formal report, a synopsis of which will be posted on a public website.
SynOx Therapeutics may pass the clinical trial data on to service providers contracted to provide specialist functions e.g. project management, safety monitoring, statistical analysis, report writing etc. Any service providers that we may share your data with are contractually obliged to follow relevant data protection regulations, keeping your clinical trial data securely, and to use it only to for the specified clinical trial. Your data will only be passed to a third party once we have obtained your consent, unless we are legally required to do otherwise.
The individual clinical trial patients give informed, explicit consent for the necessary parties (being SynOx Therapeutics, the Contract Research Organisation Clinipace (https://www.clinipace.com/privacy-statement/) and the clinic at which the patient is being cared for) to process their personal data for the purpose of undertaking the clinical trial study.
The personal data of the data subject will be erased or restricted as soon as the purpose of its storage has been accomplished. Additional storage may occur if required by the data controller by virtue of a legal obligation in the UK or the European Union to which the data controller is subject. For example, SynOx Therapeutics is required to retain information in accordance with the laws relating to clinical trials. This may be for up to 25 years.
Provision of website
We have a legitimate interest in ensuring the continued operational functionality of our corporate website www.synoxtherapeutics.com.
Each time our website is accessed, our system automatically collects data and relevant information from the computer system of the calling device. This data may include the browser type and version used, the user’s operating system, the internet service provider of the user, IP address, date and time of access, web pages from which the user’s system accessed our website and web pages accessed by the user’s system through our website. The data is stored in the log files of our system. The data is not stored with the user’s other personal data.
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session.
The storage in logfiles is done to ensure, and optimise, the functionality of the website. An analysis of the data for marketing purposes does not take place.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The session is complete when the collection of data for the provision of the website is accomplished.
The user data collected in this manner is pseudonymised by technical measures. It is therefore not possible to assign the data to the user accessing the site. The data is not stored together with other personal data of the users.
The analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and thus can constantly optimise our offer. Cookies may also be collected for marketing purposes. The processing of personal data using non-technical cookies is dependent upon the consent of the user via an opt-in process upon entering the website.
Use of company presences in social and professional networks
The use of social media platform servers may result in the international transfer of personal data.
SynOx Therapeutics has a corporate presence, in order to fulfil a legitimate interest of interacting with stakeholders, on the following social media platforms:
You have full control over your interactions with our corporate presences on social media platforms in conjunction with the privacy policies of the social media platform you are interacting with.
We have a legitimate interest in building a qualified and skilled team through recruitment.
When you apply to a vacancy at SynOx Therapeutics, either directly or via a recruitment agent, we will process your personal information, such as that included on your CV and your contact details, in order to make a decision on the successful candidate. Your data will be stored using Microsoft 365 servers located in the United Kingdom (https://privacy.microsoft.com/en-gb/privacystatement)
We will fully anonymise the data stored to support our recruitment and shortlisting processes one year after the vacancy has been filled or the recruitment efforts ceased.
We hold contact details (such as name, email address and telephone number) and professional details (such as job title and company) for suppliers with which we have a contract, are in the process of discussing a potential contract or where there is a legitimate interest to our business and where the processing of this data is not overridden by your data protection interests or fundamental rights and freedoms. We collect such personal information, where appropriate and in accordance with laws and requirements, from sources including: (i) directly from the data subject; (ii) by analysing online and offline media; (iii) from attendee lists at relevant events; and (iv) from other limited sources.
We will use these contact details to contact subjects that we believe will be interested in a potential working relationship in line with our corporate strategy and for no other purposes.
Contact details may be stored:
- On our Microsoft 365 servers within the UK (https://privacy.microsoft.com/en-gb/privacystatement)
- On our supplier database on Monday.com (https://monday.com/l/privacy/privacy-policy/)
- On our Xero bookkeeping system (https://www.xero.com/uk/about/legal/privacy/)
- On our ApprovalMax and Dext approvals systems (https://www.approvalmax.com/policy and https://dext.com/uk/privacy-policy)
We will keep the information as long as we are required to do so either under the contract or as applicable to adhere to relevant laws and regulations. For example, tax authorities may require records to be retained for a minimum period.
Communication with the company
Information may be collected from you or our advisors if you are involved in any communication or interactions with the company. This information will only be collected where there is a legitimate interest or legal obligation.
We collect such personal information, where appropriate and in accordance with laws and requirements, from sources including: (i) directly from the data subject; (ii) by analysing online and offline media; (iii) from attendee lists at relevant events; and (iv) from other limited sources.
We may, from time to time, record meetings for the purposes of security, monitoring and training. These recordings may contain contact details (such as name, email address, telephone number), audio recordings and video recordings of you, as well as transcripts of your spoken words during the meeting. These recordings will only occur with your consent.
Information will be predominantly stored on our Microsoft 365 servers (https://privacy.microsoft.com/en-gb/privacystatement), although may fall into the scope of the processing reported in our Vendor Management section above.
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.