1 General information
1.1 Responsible parties for your data
Below, it is described how Alligator Bioscience AB, company reg. no. 5565978201, with the address Scheelevägen 2, 223 81 Lund, Sweden, and its subsidiaries, (“Alligator”, “the Alligator Group”, “us” or “we”), process personal data. Privacy matters are important to us, and your integrity is our priority. Therefore, it is important for us to protect your personal data and ensure that our processing of the data is conducted in a correct and lawful manner.
1.2 Data Protection Officer
To update, rectify or erase personal data that we have collected about you, or to enforce your rights as described above, you are welcome to contact our Data Protection Officer at email@example.com.
1.3 Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with your supervisory data protection authority. In Sweden the supervisory authority for privacy is Integritetsskyddsmyndigheten (www.imy.se).
1.4 Data protection principles
Alligator displays its commitment to privacy and data protection by among other things embracing the following principles in accordance with article 5 GDPR:
- Alligator only processes personal data lawfully, fairly, correctly and in a transparent manner.
- Alligator only collects necessary personal data, and only to fulfill a legitimate purpose.
- Alligator store personal data for as long as it is necessary and erases it when it’s no longer needed.
- Alligator protects personal data with appropriate technical and organizational security measures.
1.5 Place of processing
Alligator processes your personal data within the EU/EEA. However, in exceptional cases, and when necessary, Alligator may transfer data to a country outside the EU/EEA. Any such third country transfer will be carried out in accordance with Articles 44-49 in the GDPR and applicable national data protection legislation. The transfer of your personal data to a third country will be based on Standard Contractual Clauses (SCCs) if the transfer cannot be based on an adequacy decision, together with supplementary measures such as pseudonymization of personal data.
If you have further questions concerning the transfer of your personal data outside the EU/EEA, you may contact us at firstname.lastname@example.org.
You can also read more about the GDPR and how organizations may transfer personal data on the Swedish supervisory authority’s webpage.
1.6 Legal basis
Alligator only processes (collects, stores, transfers, uses etc.) your personal data with a legal basis in accordance with Article 6 GDPR. Legal basis may be based on your consent, for the performance of a task carried out in the public interest, by contract, statutory obligations or from our legitimate interest as a business. Alligator only processes sensitive personal data if one of the exceptions in Article 9 GDPR is fulfilled.
1.7 Third parties
Your personal data will be disclosed to a third party only if any of the following criteria applies:
- you have given us your explicit consent to do so (pursuant to Article 6.1(a) GDPR),
- necessary for the performance of a contract with you (Article 6.1(b) GDPR),
- necessary for the compliance with a legal obligation (Article 6.1 (c) GDPR),
- necessary for the performance of a task carried out in the public interest (Article 6.1 (e) GDPR), 2
- required for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6.1 (f) GDPR).
Third parties may be:
- Suppliers/vendors acting as processors/sub-processors which process personal data on behalf of Alligator
- Legal authorities in accordance with law requiring us to disclose information.
- Clinical Research Organizations (CRO) which process personal data on behalf of Alligator.
- Cloud service providers which process personal data on behalf of Alligator. The data processors engaged may only process personal data in accordance with the purposes and instructions that Alligator issues for the processing. The processor and anyone acting on behalf of the processor may furthermore never see more data than is necessary to carry out the service covered by the agreement with Alligator. Where personal data is to be processed by a data processor, a so-called data processor agreement is drawn up. Alligator uses data processors for various kinds of IT services.
2.1 Corporate partners
We may process personal data attributable to you as a corporate partner (e.g., suppliers, distributors and research collaborators): The personal data Alligator may process is name, title, telephone number, e-mail address, business address, social security number and name of employer.
The personal data listed above is processed for the purposes of, and based on our legitimate interest in, project management, administering agreements with corporate partners, project participators and suppliers/distributors, contacts regarding business and sales purposes and marketing. Furthermore, the personal data is processed for the purpose of, and based on our legitimate interest in, invoicing company partners.
We may process your social security number for the purpose of invoicing and other business administration conducted on the legal basis of being necessary for the performance of the contract with the sole trader and per requirements of the Swedish book-keeping legislation.
Personal data from corporate partners will be kept for as long as necessary for the performance of the project or agreement, or for the ongoing business relationship.
Personal data processed for the purpose of invoicing will be stored for seven years as this is a requirement under Swedish book-keeping legislation.
Personal data processed for the purpose of contacting the contact person for business and sales purposes will be deleted within six months as of the date the business relation with the business contact ends.
Personal data processed for the purpose of marketing will be stored until you choose to opt out of additional marketing.
2.2 Job applicants
During a recruitment process we may process your personal data in order to carry out the recruitment. Your data will only be processed for the purpose of the application process and, if applicable, for the purpose of your subsequent recruitment. The personal data above is processed for the purpose of, and based on our legitimate interest in, assessing job applicants prior to potentially hiring you and to be able to carry out online personality tests of the applicant.
Only authorized personnel at Alligator will be accessing the personal data collected through the recruitment process.
Once we have notified you about our decision concerning the recruitment, we shall either completely erase your data or (in the event of your recruitment) store them in your personnel file.
2.3 Clinical trials
Patients participating in clinical trials
We process pseudonymized personal data attributable to you as a patient participating in clinical trials. This means that all your clinical research data is coded, and your identity is not revealed to Alligator Group at any time. Your personal data will be processed for the following purposes:
- For the performance of the study and development.
- As required to comply with applicable laws and regulations.
- In aggregated and anonymized form in connection with scientific research.
Every time we process your personal data in a clinical trial, we will rely on a legal basis of processing under GDPR. We process personal data in clinical trials for the performance of a task carried out in the public interest. We also process personal data in clinical trials in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical trial data in accordance with archiving obligations set up by the Clinical Trial Regulation (CTR) or, as may be the case, relevant national laws, to comply with legal obligations to which we are subject to.
We will need to process data about health in clinical trials. Health data is a “special category” of personal data under the GDPR. Special rules apply to this type of data. We process special category of personal data (sensitive personal data) only if one of the exceptions in Article 9 of the GDPR becomes applicable to the processing such as the exception in Article 9 (2)(i) or 9 (2)(j) GDPR.
Personal data in clinical research is only processed by authorized personnel at the Alligator Group.
The storage of personal data in clinical trials depends on our responsibilities under relevant legislation such as EU clinical trials regulation.
You will receive additional information about data protection, and you will have the opportunity to raise any questions before consenting to participate in our clinical trials.
Health care professionals
For healthcare professionals, we will collect your CV including your personal information. The purpose and legal basis for this processing is our legal obligation as required by International Council of Harmonization Good Clinical Practice.
The storage of personal data in your CV depends on our responsibilities under relevant legislation.
2.4 Subscribers to newsletter
We may process the personal data such as name, e-mail address and company attributable to you as a subscriber to our newsletter. This personal data is processed for the purposes of providing marketing, press releases and newsletters. The processing is based on your consent.
Personal data related to newsletter subscribers is stored until you withdraw your consent.
2.5 Office visitors
We may process personal data attributable to you such as your name and company as a visitor at our premises. The personal data above is processed for the purposes of, and based on our legitimate interest in, maintaining security, facilitating the delivery of goods and appointing visitors to the correct host at Alligator.
Personal data related to office visitors is deleted within three months of your visit.
2.6 Investors and insiders
We may process personal data such as name, telephone number, e-mail address and organization/employer etc. attributable to you as an investor or insider.
The personal data relating to investors listed above is processed for the purposes of, and based on our legitimate interest in, logging investors meeting to facilitate future contacts and to keep track of such interactions.
Regarding insiders, the personal data listed above is processed for the purposes of complying with financial regulations and legislation, and for being able to register insiders with the Financial Supervisory Authority (Sw. Finansinspektionen) and keep insider lists. The processing is carried out based on our legal obligations to provide such information to the Financial Supervisory Authority and to comply with applicable laws and regulations.
Personal data related to investors and insiders will be continuously reviewed every second year and outdated personal data will then be deleted.
We place non-essential cookies on your device only if you have given your explicit consent. You can withdraw your consent at any time if you change your mind. As a visitor, you can set your own browser to allow cookies to be stored on your computer or not. You can also choose to delete any cookie file that has been placed on your computer at any time.
3.2 How to use our website without cookies
- Internet Explorer: https://support.microsoft.com/en-us/windows/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d#ie=ie-11
- Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
- Apple: https://support.apple.com/en-us/HT201265
- Android: https://discover.hubpages.com/technology/How-to-delete-internet-cookies-on-your-Droid-or-any-Android-device
- Chrome, Android: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=en
4 Your rights as a data subject
You have the right to, at any time, exercise the following rights by getting in touch with our Data Protection Officer email@example.com.
Right to withdraw consent (Article 7 GDPR)
If we process personal data about you with consent as a legal basis you may withdraw your consent at any time by contacting firstname.lastname@example.org or your health care provider. Although in certain cases we may need to further process your personal data in accordance with law.
Right to be informed (Article 13-14 GDPR)
You have the right to be informed concerning our processing of your personal data. This is carried out by providing you with information in this Privacy Notice, specific information forms provided to you or by answering your questions sent to email@example.com.
Right of access (Article 15 GDPR)
You have the right to obtain information on the processing of your personal data, and if so, receive a copy of it. Such a copy is commonly referred to as a Data Subjects Access Request (DSAR).
You can send your request for access to firstname.lastname@example.org
Right to rectification (Article 16 GDPR)
If you deem your personal data inaccurate or incomplete, you have the right to have the data corrected (rectified).
You have the right to contact us and request that inaccurate information about you to be rectified. This also means that you have the right to add such personal data that is missing and that is relevant taking into account the purpose of the personal data processing. We must also ensure that the data is accurate and up to date.
If data is rectified at your request, we must also inform you that data has been rectified. This does not however apply if it should prove to be impossible or would involve excessive effort.
You can send your request for rectification to email@example.com.
Right to erasure (Article 17 GDPR)
You have the right to contact us when we process your personal data and request that the data relating to you to be erased. The data is to be erased in the following cases:
There are exceptions to the right to erasure and the obligation to inform others if it is necessary in order to satisfy other important rights such as the right to freedom of expression and freedom of information, fulfil a legal obligation, carry out a task in the public interest or as part of the exercise of official authority.
You can send your request for erasure to firstname.lastname@example.org.
Right to restriction (Article 18 GDPR)
In certain cases, you have the right to demand that the processing of your personal data be limited. By “limited” is meant that the data is flagged so that it in future may only be processed for certain limited purposes.
The right to limitation applies among other things when you as a data subject considers that the data is inaccurate and have requested rectification. You can in such cases also request that the processing of your personal data be limited while the accuracy of the data is investigated.
You can send your request for restriction/limitation to email@example.com.
Right to data portability (Article 20 GDPR)
In certain instances, you have the right to transfer your personal data from one controller to another, provided you have given us your permission to the data processing, or you have concluded a contract with us. This can either be carried out by the controller which data is being transferred from, or that you receive the personal data in a commonly used machine-readable format.
You can send a request for data portability to firstname.lastname@example.org.
Right to object (Article 21 GDPR)
When the processing is based on public or legitimate interest (Article 6 subsection 1 e and f, including profiling) you have the right to object to the processing. If Alligator cannot prove that there is a justified public or legitimate interest, we must cease the processing of that personal data.
You can send your request for objection to email@example.com.
Right to file complaint to the supervisory authority
You can file a complaint to the Swedish supervisory authority or other supervisory authorities where you are located.
More information about your rights
You can read more about your rights as a data subject under the GDPR on the Swedish supervisory authority’s webpage here: https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/
5 Modifications to our data protection provisions
We reserve the right to adjust this data protection statement, so that it always conforms to the current legal requirements, or in order to implement changes in the data protection statement that concern our services, as may be the case when new services are introduced. Whenever you then visit our website, the new data protection statement will be applicable.