SOTIO Biotech, Inc. Clinical Trials Privacy Notice

Effective on: November 16, 2023

1. Introduction

SOTIO Biotech Inc. (“SOTIO”, “we”, “us”, “our”) sponsors ethically approved clinical trials. We take the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual patients (“Participants”) and personnel (“Personnel”) (individually and together, “you,” “your”) whose Personal Data we may receive in connection with the clinical trials (“Trial” or “Trials”) we sponsor.

Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.

This Notice does not apply to Personal Data collected by any other means, like Personal Data collected through our public website. This Notice does not apply to our employees.

2. Information Which Does Not Constitute Personal Data

If we do not process information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual, such information is not considered Personal Data and this Notice will not apply to our processing of that information.

3. What Can You Find in This Notice?

This Notice tells you, among other things:

• What Personal Data we collect about you;
• How we receive your Personal Data;
• For what purposes we use your Personal Data;
• The legal bases for processing your Personal Data;
• How long we keep your Personal Data;
• With whom we share your Personal Data;
• How we protect your Personal Data;
• Your rights about the Personal Data we collect about you and how you can exercise those rights;
• How to contact us;

 4. Controllership

Within the scope of this Notice, SOTIO generally acts as the data controller for the Personal Data processed in the context of the Trials we sponsor. This means that we alone determine the purposes and means of the processing of your Personal Data

In some jurisdictions, there may be other organizations that jointly control the processing of your Personal Data in conjunction with us, such as the study site where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purposes and means of the processing of your Personal Data. If you would like to know more about any other data controllers that might be joint controllers together with SOTIO, you may ask your study doctor or the study site for further details, specifically related to the Trial you participate in.

5. What Personal Data We Collect About You

Participants:
Even though we are a data controller for the Personal Data processed in the context of our Trials, SOTIO itself does not have access to identifiable Personal Data, meaning that we are unable to identify you personally from the information we have access to. Personal Data is collected by our service providers like the study site (the clinic or other healthcare facility where the Trial is being run) or other third parties, such as your doctors or our clinical research organizations. When any information relating to you is shared with us by our service providers, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).

The following types of Personal Data may be processed in the context of our Trials:

• basic identifying information, such as your first and last name;
• demographic information, such as your ethnicity, race, month/year of birth and sex;
• contact information, such as your phone number, physical address and email address;
• location information, such as the location of your testing site and Trial location (i.e. study site);
• health care information, such as the identity and contact information of your doctors and health care providers;
• health information, such as your medical history, current health status and reaction to the Trial drug or treatment;
• your genetic information; and
• identifiers and device information, such as IP address and associated location, operating system, and device IDs (e.g. when you visit a Trial-specific website).

Personnel:
The following types of Personal Data may be processed in the context of our Trials:

• basic identifying information, such as your first and last name;
• professional information, such as your place of practice, job title, the medical field in which you are active, professional qualifications and scientific activities;
• financial data, such as payment-related information; and
• location information, such as the location of your testing site and Trial location (i.e. study site).

6. How We Receive Your Personal Data

Participants:
We receive your Personal Data when:

• you provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf);
• a study doctor (also known as an “investigator”) or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
• we receive it from the clinical research organization that conducts the Trial on our behalf;
• you visit one of our Trial-specific websites or online portals; and
• you provide it to us, the clinical research organization, or a study doctor when you complete a pre-screening questionnaire to confirm your eligibility to participate in the Trial.

Personnel:
We receive your Personal Data when:

• you provide it to us in your role as Personnel in the context of assisting in the operation of the Trial.

7. For What Purposes We Use Your Personal Data

Participants:
We may process your Personal Data for the purposes of:

• managing and facilitating the Trial;
• enabling your participation in the Trial;
• answering the research questions for the Trial and aggregating data to generate statistics relating to the Trial and/or study drug or health treatment;
• arranging for the delivery of drugs to you and collection of unused drugs from you in relation to the Trial;
• arranging your transportation to or from the study site;
• sending you reminders about your appointments at the study site, or to take your medication on time;
• monitoring and reporting on any adverse events, such as negative side effects;
• developing new medicinal drugs or health treatments;
• complying with legislation governing Trials;
• disclosing your Personal Data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law;
• responding to your inquiries and requests; and
• communicating with you on the status of the Trial.

We also process your Personal Data for the specific purposes described in the informed consent form provided to you by Personnel.

Personnel:
We may process your Personal Data for the purposes of:

• managing our relationship with you;
• contacting Personnel for planning and organizing the Trials;
• conducting the Trials; and
• complying with applicable laws and regulations.

8. The Legal Bases for Processing Your Personal Data

Participants:
We must have a valid reason to use your Personal Data. This is called a “lawful basis for processing”. We may process your Personal Data on the basis of:

• Consent: We may ask for your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history. Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.
• Contract: We may process your Personal Data to fulfill a contract we have with you. Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligation towards you.
• Legitimate Interests: Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. We may process your Personal Data based on our legitimate interests in facilitating and managing our Trials.
• Compliance with Legal Obligations: We may need to process your Personal Data for us to comply with applicable laws or regulations, such as the laws regulating the safety and reliability of our Trials.
  Public Interest: We may process your Personal Data for reasons of public health interests to ensure adequate standards of quality and safety of the drugs or treatments we are developing.

Since we process special categories of Personal Data, such as your health status and medical history, the GDPR requires that we must have an additional ground to process this type of information. SOTIO may process your special categories of Personal Data on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. Please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.

Personnel:
We must have a valid reason to use your Personal Data. This is called a “lawful basis for processing”. We may process your Personal Data on the basis of:

• Consent: Personal Data may be processed based on your consent. Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.
• Contract: Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligation towards you.
• Legitimate Interests: Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. SOTIO may process the Personal Data of Personnel based on our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial personnel recruiting and contracting processes.
• Compliance with Legal Obligations: We may also process Personal Data because it is necessary for the performance of the contracts between SOTIO and Trial sites, including by enabling us to communicate with you and other principal investigators about the performance of the relevant Trial. SOTIO may process Personal Data of Trial Personnel in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of a Trial.

9. Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide website functionality, authentication (session management), usage analytics (web analytics), and to remember your settings, and to generally improve our websites. For more information on how we use cookies, please refer to the cookie policy located in the footer of the Trial-specific website.

10. How Long We Keep Your Personal Data

SOTIO will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable laws or regulations.

Participants:
To the maximum extent permitted by law, once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. For example, European law and Good Clinical Practices requires us to keep Personal Data that is part of the clinical trial master file for at least twenty-five (25) years after the conclusion of the applicable Trial. Other laws may require different retention periods. This includes your identity and health information and any adverse effects of the drug you took during the Trial.

11. With Whom We Share Your Personal Data

We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by applicable laws or regulations. Our service providers may include parties providing the following, either currently or in the future:

• contract/clinical research organization services;
• patient recruitment services;
• laboratory services;
• study oversight, imaging and digital patient services;
• quality assurance, safety and pharmacovigilance software and related services;
• data storage and archiving software and related services;
• data analytics and reporting software and services;
• services related to the collection, storage, testing, and transportation of biological material;
• logistics and transport service providers;
• electronic data capture software and hardware.

We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, and public government agencies (i.e., National Health Authorities, Regulatory Authorities and Ethics Committees) and may be located in other countries.

12. International Transfers of Personal Data

Some of the abovementioned third parties may be located in countries outside of the EU or the EEA. In some cases, the European Commission may not have determined that those countries’ data protection laws provide a level of protection for your Personal Data. When the GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data.

We ensure that the recipient of your Personal Data offers an adequate level of protection, for instance, by entering into appropriate data protection agreements and if required, the European Commission-approved standard contractual data protection clauses (or a similarly appropriate contractual transfer mechanism). These safeguards may include the model data protection clauses approved by the European Commission. To access these model clauses, please contact our Data Protection Officer.

13. Other Disclosures of Your Personal Data

We may disclose your Personal Data:

• to the extent necessary, to regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
• if, in the future, we sell or transfer, or we consider selling or transferring, part or all of our company, business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events; or
• in the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events; and/or
• if necessary, to our group companies for business purposes, as described above.
• If you want to receive the list of the current recipients of your Personal Data, please make your request by contacting us at legal@sotio.com.

If we have to disclose your Personal Data to a government or law enforcement authority, we may not be able to ensure that those officials will protect your Personal Data.

14. How We Protect Your Personal Data

We have put in place technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate.

15. Your Privacy Rights

You have specific rights regarding your Personal Data that we collect and process. In this section, we first describe those rights and then we explain how you can exercise them.

Right to Know What Happens to Your Personal Data
This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential due to professional secrecy or other statutory secrecy obligations.

Right to Know What Personal Data SOTIO Has About You 
This is called the right of access. This right allows you to ask for full details of the Personal Data we hold on you. You have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information. Once received and confirmed that the request came from you or your authorized agent, you have the right to have disclosed to you information required under the GDPR, which may include:

• The categories of your Personal Data that we process;
• The categories of sources for your Personal Data;
• Our purposes for processing your Personal Data;
• Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
• The categories of third parties with whom we share your Personal Data;
• The specific pieces of Personal Data we process about you in an easily-sharable format;
• If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests (for example, to process a request made by you); and
• The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to Change Your Personal Data
This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.

Right to Delete Your Personal Data
This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data
This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data
This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data
This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our Services, so that you can:

• Move it;
• Copy it;
• Keep it for yourself; or
• Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine readable format. When you request this information electronically, we will provide you a copy in electronic format.

Right Related to Automated Decision Making
We do not use automatic decision making.

Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

How to Exercise Your Rights
Participants:
To exercise your rights, please first speak with your study doctor instead of contacting us directly, so that we can ensure that your confidentiality is preserved. Where appropriate, your doctor will pass on your request to SOTIO.

In order to correctly respond to your privacy rights requests, the study doctor will need to confirm that YOU made the request. Consequently, they may require additional information to confirm that you are who you say you are.

The study doctor will request the minimum amount of information from you required to verify your request and will only request information that is already held pertaining to you.  Any Personal Data you provide related to the request will be used only in order to verify your identity or authority to make the request.

If you are unable to exercise your rights through your study doctor for any reason, you may contact our Data Protection Officer, VeraSafe, by sending an email to experts@verasafe.com, or by using the information in the “Contact Us” section below. In order to preserve your confidentiality, please do not contact SOTIO directly.

Personnel:
You may contact our Data Protection Officer, VeraSafe, by sending an email to experts@verasafe.com, or by using the information in the “Contact Us” section below.

In order to correctly respond to your privacy rights requests, the Data Protection Officer will need to confirm that YOU made the request. Consequently, they may require additional information to confirm that you are who you say you are.

The Data Protection Officer will request the minimum amount of information from you required to verify your request and will only request information that is already held pertaining to you.  Any Personal Data you provide related to the request will be used only in order to verify your identity or authority to make the request.

Participants and Personnel:
You also have the right to lodge a complaint with a data protection regulator in your applicable jurisdiction.

If you are unable to exercise your rights using the above instructions, you may contact SOTIO by phone at (+1) 617-904-7600, or by email at legal@sotio.com. In order to preserve confidentiality, Participants should not contact SOTIO directly.

16. Data About Children

Our Trials are generally not directed at, or intended for use by, children under the age of 16, however where this is the case, we obtain parental or legal guardian consent before processing Personal Data about children.

17. Contact Us 

If you are a Participant and have any questions about this Notice or our processing of your Personal Data, please contact your study doctor. If you are Personnel and have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer at the contact information provided below. Our Data Protection Officer will respond to you as soon as possible, but no later than one month after you contact us. If we need more time (up to 3 months in total), we will inform you of the reason why and the extension period in writing.

Data Protection Officer
We have appointed VeraSafe as our DPO. Personnel, please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:

VeraSafe
100 M Street S.E., Suite 600
Washington, D.C. 20003
Email: experts@verasafe.com
Web: Contact Us | VeraSafe
Tel: +1 617 398 7067

European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, Personnel, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: Contact an Organization Participating in the VeraSafe Data Protection Representative Program | VeraSafe or use the contact details provided below:

VeraSafe can also be contacted at:
VeraSafe Czech Republic s.r.o. 
Klimentská 46
Prague 1, 11002
Czech Republic
Phone: +420 228 881 031

United Kingdom Representative
We have appointed VeraSafe as our representative in the United Kingdom. Personnel, while you may also contact us, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: Contact an Organization Participating in the VeraSafe Data Protection Representative Program | VeraSafe or use the contact details provided below:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
Email: experts@verasafe.com
Web: Contact Us | VeraSafe

18. Change to This Notice 

If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.