Introduction
The Data Protection Act 2018 and the General Data Protection Regulation (“GDPR”) (together the “Data Protection Laws”) impose certain obligations on Foundry Innovation & Research 1, Limited, (the “Company”) as a data controller with respect to its use of personal data. This Notice explains how personal data is processed by the Company.
Who does this apply to?
This Notice applies to suppliers, contractors and business contacts of the Company as well as to website visitors and recruitment candidates. Processing of clinical trial participants’ personal data and of data related to staff, shareholders, directors and officers is covered by separate Privacy Notices.
If you participate in a clinical trial and have queries about your personal data, you should contact the Principal Investigator for the relevant trial, details of which can be found in your patient information leaflet.
What personal data do we process?
When you interact with the Company, personal data and other information about you may be processed, as further described in the table at the end of this document. We may process your personal data in order to perform a contract, for compliance with a legal obligation or for the purposes of pursuing the Company’s legitimate interests.
Sharing of personal data
We may disclose personal data to our service providers, such as security professionals, accountants, auditors, experts, lawyers and other professional advisors; IT system providers, support and hosting service providers; banks and financial institutions that service our accounts; document and records management providers; and other third party vendors and outsourced service providers that assist us in carrying out business activities.
We may also share personal data with: (a) government or other public authorities (including, courts, regulatory bodies, law enforcement agencies, tax authorities); and (b) third party participants in legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, as we consider necessary or appropriate.
Data Transfers outside the EEA
We may transfer personal data outside the EEA from time to time. Such transfer will be subject to appropriate safeguards in accordance with Data Protection Laws and in accordance with this Privacy Notice. Further details may be obtained from the Data Protection Lead (contact details below).
Retention Periods
The Company will keep personal data for as long as is necessary for the purposes for which we collect it. Where the Company holds personal data to comply with a legal or regulatory obligation, we will keep the information for as long as is required to comply with that obligation.
Where we hold personal data in the context of a contractual relationship, we will keep the information for the duration of that relationship, and for a certain time thereafter. The amount of time depends on the nature of the contractual relationship (which could be up to 7 years post termination) and will be retained for a longer period in the event of legal or prospective legal proceedings.
Recruitment data will typically be retained for one year.
For further information about the period of time for which we retain your personal data, please contact dataprotection@fire1foundry.com, FAO: Data Protection Lead.
Your Data Subject Rights
The Data Protection Laws provide certain rights in favour of Data Subjects, some of which only apply in limited circumstances or in a limited way: the right to receive information on the processing (which is provided through this Privacy Notice or other forms or notices provided to you); the right of access to personal data; the right to rectify or erase personal data (right to be forgotten); the right to restrict processing; the right to data portability; the right of objection and the right to object to automated decision-making (including profiling) which has a legal or similarly significant effect on you.
You also have the right to complain to the Data Protection Commission in Ireland or to your local data protection supervisory authority in the event you have a complaint or believe your rights have been infringed (in such cases we would request that you bring the matter to our attention in the first instance so that we may discuss it with you).
How we Protect Your Data
The Company has technical and organisational measures in place to protect your personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal data is held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
Who to Contact about your Personal Data
For more information, please contact dataprotection@fire1foundry.com FAO Data Protection Lead.
Privacy Policy Updates
Our business may change from time to time and it be necessary to make changes to this Privacy Policy. Please refer to it periodically, and especially before you provide any personal data. This Privacy Policy was last updated on the date indicated above.
APPENDIX 1
PERSONAL DATA PROCESSED BY THE COMPANY
| PURPOSES OF PROCESSING | PERSONAL DATA PROCESSED | LEGAL BASIS FOR PROCESSING |
|---|---|---|
| Contractors, suppliers, business contacts, website visitors. | ||
| To communicate with you and for the performance and enforcement of contractual rights and obligations; In pursuit of our commercial activities and objectives such as research and development and the promotion and expansion of our business; To manage our business operations and IT infrastructure, in line with our internal policies and procedures, including those relating to regulatory matters, finance and accounting; IT systems operation; records management and auditing. | Personal details including name, address, status within a relevant legal entity with whom we have a contractual relationship; Qualifications, experience, professional associations and references; Bank/building society details; Government or other official identification documents (e.g. tax reference number or permits); Information obtained from other sources (for example, publicly available information from online services and other information resources, third party commercial information sources, and information from our business partners). | Article 6 (1)(a): consent; Article 6 (1) (b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the Company |
| To monitor electronic communications between us (for example, emails) to protect you, our business and IT infrastructure, and that of third parties including by: – identifying and dealing with inappropriate communications; and – looking for and removing any viruses, or other malware, and resolving any other information security issues. | Email, IP address | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the Company |
| To manage due diligence and related disclosures in the context of corporate investments and share or asset acquisitions or disposals and integration with any third party investors or acquirers; | Personal details including name, address, status within a relevant legal entity with whom we have a contractual relationship; Qualifications, experience, professional associations and references; Bank/building society details; Government or other official identification documents (e.g. tax reference number or permits); Information obtained from other sources (for example, publicly available information from online services and other information resources, third party commercial information sources, and information from our business partners). | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the Company |
| To manage complaints, feedback and queries, and handle requests for data access or correction, or the exercise of other rights relating to Personal data; | Name, address, contact details, correspondence, identification documents if necessary. | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the Company Article 6 (1) (c): processing is necessary for compliance with a legal obligation to which the Company is subject; |
| To establish and defend legal rights to protect our business operations, and those of our business partners, and secure our rights and the safety of our personnel, our business partners, you, or other individuals or third parties; to enforce our terms and conditions; and pursue available remedies and defences; | Personal details including name, address, status within a relevant legal entity with whom we have a contractual relationship; Qualifications, experience, professional associations and references; Bank/building society details; Government or other official identification documents (e.g. tax reference number or permits); Information obtained from other sources (for example, publicly available information from online services and other information resources, third party commercial information sources, and information from our business partners). | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the Company Article 6 (1) (c): processing is necessary for compliance with a legal obligation to which the Company is subject; |
| To comply with legal and other requirements, record-keeping and reporting obligations, site policies, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, summons or warrants, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures. | Personal details including name, address, status within a relevant legal entity with whom we have a contractual relationship; Qualifications, experience, professional associations and references; Bank/building society details; Government or other official identification documents (e.g. tax reference number or permits); Information obtained from other sources (for example, publicly available information from online services and other information resources, third party commercial information sources, and information from our business partners). | Article 6 (1) (c): processing is necessary for compliance with a legal obligation to which the Company is subject; |
| To understand the use of our website, such as the visitor numbers and what way visitors interact with the website. | Cookies For more information on our cookies please refer to our cookie policy. | Article 6 (1) (a): data subject’s consent |
| Recruitment Candidates To determine your suitability for the role you have applied for; To keep you informed of your progress or contact you at a later date; To enter into an employment contract with you if your application is successful. | Personal details such as name, date of birth, address, email address, phone number, nationality; Employment and education history in your CV; application form or as provided by you; Referees, visa status; Other personal data supplied during the recruitment process. | Article 6 (1) (b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract |
