Effective on: 20 April 2023
Ayala Pharmaceuticals, Inc. (“Ayala”, “we”, “us”, “our”) takes the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (this “Notice”) describes how we use your Personal Data we may receive, either directly from you, or from third parties, in connection with the clinical trials (a “Trial” or the “Trials”) we sponsor. This Notice is applicable to you if you are a Trial patient or Trial personnel at one of our Trial sites (individually and together, “you,” “your”).
This Notice explains in general terms our commitment to comply with data privacy laws and regulations, including but not limited to the Protection of Privacy Law, 5741-1987 of Israel, the Taiwanese Personal Data Protection Act 2015, the Australian Privacy Act 1988, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European General Data Protection Regulation (GDPR), the General Data Protection Regulation of the United Kingdom (UK GDPR), and the Health Insurance Portability and Accountability Act (“HIPAA”) of the United States.
Important note: Nothing in this Notice is intended to limit in any way your statutory right, including your rights to a remedy or means of enforcement.
Within the scope of this Notice, Ayala acts as a data controller for the Personal Data we collect, use and process (“process”). This means that we determine the purposes and the means of the processing of Personal Data.
However, we do not have direct access to Trial patients’ identifiable Personal Data, meaning that we are typically unable to directly identify Trial patients. Your Personal Data is collected by the clinical research organization (CRO) assisting us with the Trial, the Trial site (the doctor’s office, clinic, hospital, or other healthcare facility where the Trial is being conducted), or other third parties, such as your primary care doctors. When any information relating to Trial patients is shared with us, it will be key-coded (also known as “pseudonymized”) so that you will not be identified by any direct personal identifier.
There may be other organizations that jointly control the processing of your Personal Data in conjunction with us. If you would like to know more about the other data controllers that jointly determine the purposes for which we process your Personal Data, and the means by which we do so, you may ask your Trial doctor or the Trial site for further details, specific to the Trial you participate in.
Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on an appropriate lawful basis for processing your Personal Data. We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.
We process your Personal Data for safety and reliability purposes in order to comply with our legal obligations.
We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.
If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.
Ayala will need to process data about your health in order for you to participate in a Trial. Health data is considered sensitive Personal Data (also known as a “special category” of Personal Data) and special rules apply to working with it. When we process special categories of your Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective, and conducting our Trials safely. We also process your sensitive Personal Data based on your explicit consent.
The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of applicable local laws in jurisdictions where we sponsor Trials. If you are a patient in an Ayala Trial, please refer to the informed consent form you signed for more information about the legal grounds on which we process your Personal Data. If there is any conflict between any provision in this Notice and any provision in the informed consent form you signed in connection with your participation in a clinical trial we sponsor, the informed consent form shall supersede the conflicting provision in this Notice.
Ayala may process the Personal Data of Trial personnel based on our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial staff recruiting and contracting processes.
We also process Personal Data because it is necessary for the performance of the contracts between Ayala and Trial sites, including by enabling us to communicate with you and other principal investigators about the performance of the relevant Trial.
Ayala may process Personal Data of Trial personnel in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of a Trial.
Personal Data may also be processed based on your consent.
We receive your Personal Data when:
Ayala itself will have access to the following types of Personal Data about Trial patients:
Ayala may collect and process the following types of Personal Data about Trial personnel:
Ayala’s service providers, including the CRO, will have access to and process the following types of your Personal Data:
We will process Trial patients Personal Data for the purposes of:
We also process the Personal Data of Trial patients for the specific purposes described in the Trial information provided to Trial patients by the Trial site.
We will process Trial personnel Personal Data for the purposes of:
If you participate in a Trial, you will be assigned a unique patient identification number. Depending on the Trial you participate in, this number may be used as part of an automatic process that randomly determines if you will receive the experimental drug substance or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with good clinical practice standards.
Ayala will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law.
Our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is “key-coded” before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.
To the maximum extent permitted by law, once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. For example, European law requires us to keep Personal Data that is part of the clinical trial master file for at least twenty-five years after the conclusion of the applicable Trial. Other laws may require different retention periods. This includes your identity and health information and any adverse effects of the drug you took during the Trial.
We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by applicable law.
Our service providers provide:
We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, and public government agencies and may be located in other countries. Therefore, your Personal Data may be processed outside your jurisdiction and in countries not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction.
We ensure that the recipient of your Personal Data offers an adequate level of protection, for instance, by entering into appropriate data protection agreements and if required, the European Commission-approved standard contractual data protection clauses.
We may disclose your Personal Data:
If we have to disclose your Personal Data to a government or law enforcement authority, we may not be able to ensure that those officials will protect your Personal Data.
We have put in place technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate.
If we process your or your child’s Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. You may also have the right to ask that we limit our processing of your Personal Data, as well as the right to object to our processing of your Personal Data. You may also have the right to data portability, which means that you may have the right to ask us to provide you with a copy of your Personal Data that another company like Ayala can process.
If HIPAA applies to you, you also have the right to request or receive confidential communications from us by alternative means or at a different address and the right to receive a copy of this Notice.
To submit these requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.
You may also have the right to lodge a complaint with a data protection regulator in your applicable jurisdiction. If HIPAA applies to you, you also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services.
We obtain parental or legal guardian consent before processing Personal Data about children.
If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.
If you have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer (DPO) at the contact information provided below. Our DPO will respond to you as soon as possible, but no later than 4 weeks after you contact us.
We have appointed VeraSafe as our DPO. Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:
100 M Street S.E., Suite 600
Washington, D.C. 20003
We have also appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
VeraSafe can also be contacted at:
|VeraSafe Netherlands BV
Keizersgracht 391 A
1016 EJ Amsterdam
We have also appointed VeraSafe as our representative in the United Kingdom (UK). While you may also contact us, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 45322003.
VeraSafe can also be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL