EEA Investigators and Site Personnel Notice

Introduction and Scope

Upstream Bio, Inc. (“Upstream Bio”, “we”, “us”, “our”) sponsors ethically approved clinical trials (each, a “Study”, and collectively, the “Studies”). We take the protection of personally identifiable information (“Personal Data”) very seriously. This privacy notice (the “Notice”) addresses the clinical study staff involved in conducting the Studies sponsored by Upstream Bio, including principal investigators, sub-investigators, and other health care practitioners (“HCPs”) and study site personnel (“Site Personnel”) (collectively, “Data Subjects”), who are located in the European Economic Area (“EEA”) (which includes the Member States of the European Union (“EU”) plus Norway, Iceland, and Liechtenstein) and the United Kingdom (“UK”), whose Personal Data we may receive and process in connection with your work related to the execution of the Studies.

Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.

The laws and regulations governing clinical trials require sponsors to collect, use, and retain certain Personal Data about Data Subjects who are involved in the conducting of its studies. Upstream Bio is required by applicable data protection laws to provide you with certain information about how and why we collect, use, hold, and protect your Personal Data.

This Notice does not apply to Personal Data collected by any other means or in other contexts, such as Personal Data collected through our website(s) or online portals, or the Personal Data of our employees, job applicants, contractors, business owners, officers, directors, or staff. This Notice does not apply to Personal Data of individual patients involved in our Studies. If you would like to learn more about how we process Personal Data of individual patients participating in the Studies, please review the informed consent form prepared for use at your study site.

If we maintain information in a manner that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Notice will not apply to our processing of that information.

Controllership

Within the scope of this Notice, Upstream Bio generally acts as an independent data controller for the Personal Data processed in the context of the Studies we sponsor. This means that Upstream Bio alone determines the purpose and means of the processing of your Personal Data needed for the Studies in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”).

In some jurisdictions, we may be considered a “joint controller” with another organization, typically the study site (e.g., the hospital or healthcare clinic) where the Studies are being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with Upstream Bio, you may ask the study site for further details. Our specific controllership role will be disclosed in the clinical trial agreement between Upstream Bio and the respective study site.

Upstream Bio can be contacted as follows:
Upstream Bio, Inc.
890 Winter Street, Suite 200
Waltham, MA 02451

If you have any questions about how we handle your Personal Data, you can contact us by addressing your correspondence to: info@upstreambio.com

You can also contact our Data Protection Officer directly using the contact details provided below. Please allow up to four weeks for us to reply.

Personal Data Collected About You

Clinical trial regulations such as those associated with the ICH/GCP Guidelines and those adopted by local jurisdictions oblige Upstream Bio and those acting on Upstream Bio’s behalf (such as the clinical research organization (“CRO”) that conducts the Studies on our behalf) to collect Personal Data about you including but not limited to:

  • basic identifying information, such as your first name and last name;
  • contact information, such as your phone number, physical address, and email address;
  • professional and employment related information, including but not limited to your professional qualifications and experience, job title, curriculum vitae, place of practice, the medical field in which you are active, scientific activities and areas of medical research, training records, and certification of completion;
  • professional financial data, where applicable, such as information needed for payment processing (e.g., bank account details), and details of any significant financial relationship with Upstream Bio;
  • location information, such as the location of the study site where you are based;
  • information needed for equal opportunities monitoring, such as race; and
  • any other Personal Data which you may provide to us during our interactions.

Except as set out above, Upstream Bio does not generally collect sensitive data about you (also known as special categories of Personal Data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic and biometric data) unless it is required or permitted to do so by applicable law, or you provide your explicit consent.

We receive your Personal Data when:

  • you provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf);
  • we receive it from the CRO that conducts the Studies on our behalf; and/or
  • you provide it to us or the CRO when you complete a pre-screening questionnaire to confirm your eligibility to participate in the conduct of the Studies.

We do not receive Personal Data about you from any other sources.

The Personal Data you provide will become part of the clinical trial databases and paper files as needed for the implementation, performance, and record-keeping (archiving) of the Studies.

Providing your Personal Data is necessary to take part in any Study activities. If you do not wish to provide your Personal Data, you will be ineligible to take part in any Study activities related to our Studies.

The Purposes for Processing Your Personal Data and Legal Bases of Processing

Your Personal Data will be collected and processed by or on behalf of Upstream Bio for the purposes described below. We have also set out the legal bases we will be relying on to process this Personal Data. Due to the fact that different countries interpret and enforce privacy laws differently, the exact lawful basis of processing we rely on to process your Personal Data may vary. Please contact us if you would like more detailed information about the applicable legal basis of processing we rely on in your jurisdiction.

The relevant lawful bases Upstream Bio relies on are:

  • Compliance with a legal obligation: Upstream Bio may process your Personal Data to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of the Studies and the laws regulating the safety and reliability of the Studies.
  • Legitimate interests pursued by Upstream Bio: Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests. Upstream Bio may process your Personal Data based on our legitimate interests in facilitating and conducting the Studies, which includes making informed investigator selection decisions, and improving our HCP and Site Personnel recruiting and contracting processes. When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided in this Notice.
  • Performance of contract: Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without the necessary Personal Data, we will not be able to fulfil our contractual obligation towards you.
  • Consent: Personal Data may be processed based on your consent. Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds.
Purpose Legal basis
Managing your participation in the conduct of the Study and the participation of the study site. Performance of contract and legitimate interests
Managing our relationship with you, including communicating with you and the study site in connection with the planning, organization, and status of the Study. Performance of contract and legitimate interests
Conducting and analyzing the Studies as required or permitted by laws, regulations, and/or guidelines governing clinical trials (including responding to adverse events, drug safety concerns and complaints, medical information inquiries, and performing monitoring visits, inspections, and audits of the Studies at the study site at which you work). Compliance with a legal obligation and legitimate interests
Supporting applications for approval of the product under investigation. Compliance with a legal obligation and legitimate interests
Assessing conformance with Upstream Bio’s policies. Legitimate interests
Monitoring of equal opportunity practices and standards. Compliance with a legal obligation and consent
For regulatory compliance and investigations and health and safety. Compliance with a legal obligation and legitimate interests
For legal proceedings (including prospective legal proceedings), and obtaining legal advice. Compliance with a legal obligation and legitimate interests
Confirming your qualifications and experience (in order to comply with the suitability requirements for individuals conducting studies in terms of clinical trials legislation). Legitimate interests
Publicly disclosing payments or benefits in kind (i.e., transfers of value) made to you in connection with the Studies and/or our agreement with you, in accordance with applicable law and pharmaceutical industry codes. Compliance with a legal obligation
Complying with applicable laws and regulations, as well as requests from regulators, courts, law enforcement authorities, or government investigators. Compliance with a legal obligation
To protect Upstream Bio against damage, injury, theft, legal liability, fraud, abuse or other misconduct. Compliance with a legal obligation and legitimate interests

Recipients and Transfer of Your Personal Data

We may share your Personal Data with other companies within our group, our service providers (including IT companies, cloud processors, security companies and others), contractors, researchers and research institutions, laboratories, professional advisors such as lawyers, insurers, consultants, and auditors who will use your Personal Data only for the purposes described above. We may also share your Personal Data in the context of a business transaction where Upstream Bio is involved in a merger, acquisition or asset sale, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, including as part of any due diligence process. Further, your Personal Data may be disclosed to law enforcement agencies, regulatory bodies, public authorities or pursuant to the exercise of legal proceedings if we are legally required to do so, or if we believe, in good faith, that such disclosure is necessary to comply with a legal obligation or request, to enforce contractual terms, to prevent or resolve security or technical issues, or to protect the rights, property or safety of Upstream Bio, our employees, a third party, or the public. All aforementioned third party recipients are referred to below as our “Recipients”.

Upstream Bio and our Recipients may process your Personal Data in countries outside the EEA or the UK for the purposes described in this Notice. Please note that the GDPR and UK GDPR only allows us to transfer Personal Data outside of the EEA or the UK if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to the EU or UK law. In some cases, the European Commission may have determined that the laws of certain countries provide an adequate level of protection to Personal Data. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data.

To the extent that your Personal Data is shared with Recipients which are located in countries not recognized as providing an adequate level of protection to Personal Data, Upstream Bio will only transfer your Personal Data when there are appropriate safeguards to govern such transfers outside your jurisdiction, for example, the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR (or a similarly appropriate contractual transfer mechanism) and the UK International Data Transfer Addendum or the UK International Data Transfer Agreement. If you require further details, please contact us using the details provided in this Notice.

Please note that we will only transfer your Personal Data outside of your country in accordance with the applicable laws.

Storage Period

We intend to retain your Personal Data for no longer than is necessary for the purposes for which it has been collected, as described in this Notice. Your Personal Data associated with the conduct of the Studies and as contained in the clinical trial master file will be stored for a period of at least 25 years after completion of the Studies in accordance with Article 58 of the Clinical Trial Regulation 536/2014 and/or appliable UK clinical trials legislation (such as the Medicines for Human Use (Clinical Trials) Regulations 2004, as amended from time to time).

Data Integrity and Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.

Your Rights as a Data Subject

Subject to certain limitations and exclusions under applicable law, you may be entitled to contact Upstream Bio to exercise your rights to access, correct, restrict, delete, or object to the processing of your Personal Data or request that your Personal Data is received in a structured, commonly used and machine-readable format and have it transmitted to another controller. Each of these rights are discussed in more detail below.

Right to Know What Happens to Your Personal Data
This is otherwise known as the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

Right to Know What Personal Data We Have About You
This is otherwise known as the “right of access”. This right allows you to ask for full details of the Personal Data we hold about you. You have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information. Once we receive and confirm that the request came from you or your authorized agent, we will disclose the relevant information to you, which may include:

  • the categories of your Personal Data that we process;
  • the categories of sources for your Personal Data;
  • our purposes for processing your Personal Data;
  • where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
  • the categories of third parties with whom we share your Personal Data;
  • the specific pieces of Personal Data we process about you in an easily-sharable format;
  • if we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests (for example, to process a request made by you); and
  • the appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to Change Your Personal Data
This is otherwise known as the “right to rectification”. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.

Right to Delete Your Personal Data
This is otherwise known as the “right to erasure”, “right to deletion”, or the “right to be forgotten”. This right means you can ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons (such as if the law requires us to maintain a record of your involvement in a Study). If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data
This is otherwise known as the “right to restrict processing”. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data
This is otherwise known as the “right to object”. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party).

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data
This is otherwise known as the “right to data portability”. It is the right to ask for and receive a portable copy of your Personal Data that you have given us, so that you can:

  • move it;
  • copy it;
  • keep it for yourself; or
  • transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine readable format. When you request this information electronically, we will provide you a copy in electronic format.

Right Related to Automated Decision Making
We do not, as at the date of this Notice, use automated decision-making. However, if we do in the future, for decisions that may seriously impact you, you have the right not to be subject to automated decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect it may have on you or your Personal Data.

Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds.

Right to Lodge a Complaint with a Supervisory Authority
If the GDPR or UK GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

Specifically, you can lodge a complaint in the Member State of the EU of your habitual residence, place of work, or the alleged violation of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner’s Office (ICO). A listing of each EU country’s supervisory authority may be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

How to Exercise Your Rights
If you wish to make a request, then please contact us using the details provided in this Notice. You may also contact our Data Protection Officer, VeraSafe, by sending an email to experts@verasafe.com. In order to correctly respond to your privacy rights requests, the Data Protection Officer will need to confirm that you made the request. Consequently, they may require additional information to confirm that you are who you say you are.

The Data Protection Officer will request the minimum amount of information from you required to verify your request and will only request information that is already held pertaining to you. Any Personal Data you provide related to the request will be used only in order to verify your identity or authority to make the request.

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer. While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe, LLC
100 M Street S.E., Suite 600
Washington, D.C. 20003 USA
Phone: +1 (617) 398-7067
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/

Data Protection Representative

While you may contact us at any time, our data protection representative can be contacted about matters related to the processing of your Personal Data.

European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

United Kingdom Representative
VeraSafe has also been appointed as our representative in the UK for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

Changes to this Notice

If we change this Notice, we will make the revised Notice available to you. We will also update the date of this Notice as recorded in the footer of this document.

 

EEA Investigators and Site Personnel Notice; V.3.0, Effective 19Jul2022