WHO WE ARE
In this Privacy Notice, ‘CGT Catapult’, ‘CGTC’ and all references to ‘we’, ‘our’ and ‘us’ means the Cell Therapy Catapult Ltd and subsidiaries., trading as Cell and Gene Therapy Catapult. We are a company incorporated and registered in England and Wales with company number 07964711 and our registered office is at 12th Floor Tower Wing, Guy’s Hospital, Great Maze Pond, London, SE1 9RT.
For the purposes of the UK GDPR, we are a Controller and we are registered with the Information Commissioner’s Office (ICO) under registration number ZA460539.
WHAT IS THIS PRIVACY NOTICE FOR?
This privacy notice is for data collected by CGTC for the purposes of developing and running our operations. We may collect personal data such as name, profession, phone numbers, email, workplace, dietary requirements relating to business development via our website or through any interactions we have with you at events or other correspondence. This notice informs you about how we protect your privacy and sets out the different areas where your privacy is concerned, outlining the data which is collected, the way it is processed, where it is stored and how long it is retained.
WE ARE A DATA CONTROLLER
CGTC is a Controller of the personal data that you (the data subject) provide to us. We take data protection and security very seriously. Your personal data will only be available to relevant employees who need access to it. Our policy is to only use data processors who comply with the requirements set out in the UK GDPR and /or the EU GDPR (whichever is applicable). We maintain a data protection policy which governs the use and storage of all data that we process.
ABOUT YOUR DATA
Users contacting any of CGTC’s services do so at their own discretion. Your personal information is kept private and stored securely until a time it is no longer required, has no use or you request for it to be deleted, in accordance with your rights, listed below.
CGTC regularly uses information you submit to provide you with further information about the products/services that we offer or to assist you in answering any questions or queries that you may have submitted. This includes using personal details to subscribe you to any email newsletter program CGTC operates but only if this was made clear to you and your express permission was granted.
EVENTS AND COMMUNICATIONS
CGTC operates a contact program, used to inform subscribers about events, white papers, scientific research, sector specific news, products and services that CGTC offers. Users can subscribe through an online automated process should they wish to do so, but they do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.
All personal details relating to subscribers are held securely and in accordance with the UK GDPR and / or the EU GDPR (whichever is applicable).
Email marketing campaigns published by CGTC may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, the clicking of links within the email content, times, dates, frequency of activity, IP organisation, IP address, company name, country, state, postcode.
This information is used to refine future email campaigns and to supply the user with more relevant content based around their activity.
CGTC processes this data using the lawful basis of either legitimate interest or consent.
In compliance with data protection and electronic communications regulations, subscribers are given the opportunity to unsubscribe at any time through an automated system. This process is detailed in the footer of each email campaign. If an automated un-subscription system is unavailable, clear instructions on how to unsubscribe will by detailed instead on request.
EVENTS HOSTED BY CGTC
CGTC may host events and require additional information for the organisation of such events. All personal details regarding attendees are held securely and in accordance with the UK GDPR and / or the EU GDPR (whichever is applicable). The additional information required may include but is not limited to biographies, dietary requirements and accessibility needs. CGTC will share this information with third parties, such as the caterers only to the level required to allow for organisation of the event. Such information will be retained according to our Data Retention Policy. Our lawful basis for this processing is legitimate interests but if we are processing special category personal data, such as food allergies, our lawful basis will be explicit consent.
EVENTS HOSTED BY THIRD PARTIES AND SPONSORED BY CGTC
CGTC may sponsor events, and as sponsor we shall sometimes be provided with personal data of the attendees such as name and contact details from the event organiser/host. The event organiser/host should inform you of when your personal details are being shared. All personal details regarding attendees are held securely and in accordance with the UK GDPR and / or the EU GDPR (whichever is applicable). Our lawful basis for this is legitimate interest and Such information will be retained according to our Data Retention Policy.
EXTERNAL LINKS AND EMBEDDED CONTENT
Although CGTC looks to only include quality, safe and relevant external links and content, users are advised to adopt a policy of caution before clicking any external web links mentioned throughout this platform.
External links are clickable text/banner/image links to other websites. Embedded content may include videos from other platforms such as YouTube, Vimeo, Wistua etc.
CGTC cannot guarantee or verify the contents of any externally linked website or embedded content despite their best efforts. Users should, therefore, note they click on external links or content at their own risk and CGTC cannot be held liable for any damages or implications caused by visiting any external links mentioned.
SOCIAL MEDIA PLATFORMS
Communication, engagement, and actions taken through external social media platforms that CGTC participates on are covered by the terms and conditions as well as the privacy policies held with each social media platform respectively.
CGTC will never ask for personal or sensitive information through social media platforms and encourages users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
CGTC may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
The main reasons that we collect data regarding trials subjects are:
1. Trials subjects – we provide clinical research to subjects who have consented to a clinical trial. We will hold pseudonymised data on you, which means that we are unable to identify your name or further personal information. All correspondence will remain with the holder of your master record, which is the body where you signed up for the trial. By working in this way, we can maintain your privacy and collect only the information we need to undertake the trials. Clinical trials are only carried out with your informed consent and your rights are further explained on the ‘informed consent form’ that you will be asked to sign. Clinical trials data is retained for 30 years. We might publish results of trials, but before we do we will ensure that all personal information is removed from any report. Our lawful basis for processing is relation to trials is consent.
Your data may be shared with regulators in order to comply with legal obligations.
2. Support services – we might collect and hold personal information in providing supporting services, for example:
- Managing enquiries
- Managing complaints
Our lawful basis for this processing is legitimate interests.
CLIENTS, COLLABORATORS AND COMMERCIAL PARTNERS
The main reasons that we collect data regarding clients and commercial partners, which will include other partners such as academics wishing to work with Cell Therapy Catapult are:
1. Managing relationships – We will collect the details for our contacts within your organisation, such as names, telephone numbers and email addresses. We may also hold extra information that you or someone in your organisation has chosen to tell us. We hold this information in order that we can maintain a relationship with you and enter into contractual arrangements etc.
2. Managing finances – We may collect personal information in relation to our Finance processes such as bank details, so that we can pay you. In certain circumstances, such as when you engage with our Finance teams, we may share information with other third parties such as debt recovery agents.
3. Licensing and IP – If you are partnered with us on a new therapy, device or manufacturing process then some limited personal data may be included in our licensing applications in order to comply with legal obligations. In general, these will be shared with UK entities such as the MHRA and UK IP Office, however it is possible that information might also be passed to other authorities outside of the UK. In these cases, we will ensure that your data is protected by recognised safeguards as detailed in the international section of this privacy statement.
4. Meeting regulatory requirements – we will collect personal information in the process of managing our clinical trials, running our manufacturing facilities and supporting services in a compliant manner. We need to obtain and maintain personal information to evidence clinical trials safety, compliance with GCP and GMP regulations, such as identification and career and qualifications records, medical information to support incident investigations, and training records. Where we collect any sensitive information, we ensure that we have a lawful reason, or we obtain your explicit consent.
Where information is collected to support the manufacture of pharmaceuticals we will retain this information according to the regulations, usually 10 years. If the personal data is required to support clinical trials, it will be retained for 30 years to meet our regulatory obligations.
Where applicable, your data may be shared with official agencies such as clinical trials regulators. Our lawful basis for this processing is either contract or legitimate interests. If our contract is with an individual, the lawful basis will be contract, as we will be processing the data in order to fulfil our obligations under the contract with that individual. If the contract is with an organisation, we will process the personal data of the representative of that company in order to fulfil our obligations under the contract with the company and in these circumstances, we will be processing the personal data under the lawful basis of legitimate interests.
As mentioned above, we use some of your personal data in our legitimate interests, we do not think that any of the following activities prejudice individuals in any way – in fact, they help us to offer you a more tailored, efficient service. However, you do have the right to object to us processing your personal data on this basis.
5. Marketing and developing our business – we may from time to time collect personal information from you or other sources to help us to grow our business, such as when you provide us with a business card or we obtain your information at conferences etc. If we do obtain information in this way, we will inform you of our intention to use it in the development of our business.
We will always respect your right to restrict this type of processing of your personal data by providing you with the opportunity to opt-out of these type of processing. Our lawful basis for this processing is legitimate interests.
6. Support services – we might collect and hold personal information in providing supporting services, for example:
- Contacting individuals in relation to press releases
- Collating and managing business proposals
Our lawful basis for this processing is either consent or legitimate interests, depending on the circumstances.
Collaborators at the Stevenage Site – in addition to the above, the following personal data is processed:
7. Records and personal data required for compliance with GMP will be processed as per regulatory requirements, including those required for training record maintenance, incident management, audit records, change control management and other QMS activities, and access control logs (for example for adverse event and product recall procedures). These records will be retained as required by regulations, usually 10 years.
8. Access control logs are kept for both CGTC employees and collaborators for the purpose of both compliance with GMP and for safety and security reasons. These are kept for ten years. Collaborator staff lists are held in order to issue access cards and for the purpose of security, individuals are removed from the list on termination of employment. Vehicle details are also kept for the purpose of security. These are only kept until we are notified of a change of vehicle or the employee or collaborator leaves employment. Processing for security reasons is in our legitimate interests.
SUPPLIERS AND SERVICE PROVIDERS
The main reasons that we collect data regarding suppliers are:
- Managing relationships – We will collect the details for our contacts within your organisation, such as names, telephone numbers and email addresses. We may also hold extra information that someone in your organisation has chosen to tell us.
- Managing finances – We may collect personal information in relation to our finance processes such as bank details, so that we can pay you. If you do not provide us with your payment details we will not be able to pay you. In certain circumstances, such as when you engage with our finance teams, we may share information with other third parties such as debt recovery agents.
- Meeting mandatory requirements – we will collect personal information in the process of managing our clinical trials, running our manufacturing facilities and supporting services in a compliant manner. We need to obtain and maintain personal information to evidence clinical trials safety, compliance with GCP and GMP regulations, such as identification and career and qualifications records, medical information to support incident investigations, and training records. Where we collect any sensitive information or special category personal data, we ensure that we have a lawful reason, or we obtain your explicit consent.
Where information is collected to support the manufacture of pharmaceuticals, we will retain this information according to the regulations, usually 10 years. If the personal data is required to support clinical trials, it will be retained for 30 years to meet our regulatory obligations.
In providing these services, your data may be shared with official agencies such as clinical trials regulators.
Our lawful basis for this processing is either contract or legitimate interests. If our contract is with an individual, the lawful basis will be contract, as we will be processing the data in order to fulfil our obligations under the contract with that individual. If the contract is with an organisation, we will process the personal data of the representative of that company in order to fulfil our obligations under the contract with the company and in these circumstances, we will be processing the personal data under the lawful basis of legitimate interests.
We maintain records of visitors to our sites, include access card logs and vehicle information, for the purpose of safety and security. We have a legitimate interest in holding this information, which is retained for up to six months.
During the COVID-19 pandemic, there may be times when records of COVID-19 status and test results will be required and maintained for six months. Our lawful basis for this is public health. These records will be kept confidential. The exact nature of the records collected and kept may vary and is dependent on government guidance and identification of internal best practices.
ONLINE PLATFORM USERS
The main reasons that we collect personal data regarding users who register to a platform are:
- For management and administration of user accounts, which may require sharing personal data with third parties who administer, support or maintain the platforms.
- For reporting of metrics as necessary for example to improve the performance of the platform and the service provided.
- We may contact you to invite you to take part in surveys from time to time on the utility of the platform and invite you to take part in a case study. The purpose of this is to measure the impact that the programme is having on the progression of training, skills and expertise within the industry. Participation is entirely voluntary. The results of surveys will be retained for five years.
Our lawful basis for this processing is consent.
For individuals who are using the ATAC programme, in addition to the reasons listed above under “Online Platform Users”, we also collect personal data from you and data from training providers for the following purposes:
- Managing your progress on apprenticeship programmes – We may collect personal details in relation to your progress on your apprenticeship such as names, telephone numbers, email addresses, attendance records, progress against the criteria of your standard or framework and eligibility. This enables us to discuss your apprenticeship programme with your training provider and employer, and enables us to offer you that ATAC support and extra activities to help you be successful.
Our lawful basis for this processing is consent.
HOW LONG WE KEEP YOUR DATA
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements. Please see each section above for the applicable retention periods. Alternatively, please contact firstname.lastname@example.org or 0203 728 9500 for more information on our personal data retention schedule.
WHERE YOUR DATA IS PROCESSED AND STORED
CGTC assesses any data processor it engages in relation the processing of your personal data, including storage. As part of this assessment, we ensure that we have a relevant data processing agreement in place.
We do not normally transfer any personal data outside of the UK or the European Economic Area (EEA). If we do, we will take appropriate technical and organisational measures to safeguard your personal information as we:
- only allow personal data to be processed in countries in respect of which the UK has adequacy regulations, together with supplementary measures, if appropriate.
- we enter into appropriate contracts which the UK have confirmed provide adequate protection for personal data (Standard Contractual Clauses were initially approved by the European Commission and have been adopted by the UK for the time being. This may change in the future and the UK may issue its own contractual clauses. For the time being, see European Commission: Model contracts for the transfer of personal data to third countries). Supplementary measures may also be implemented, if appropriate.
WHAT ARE YOUR RIGHTS?
Under the UK GDPR and the EU GDPR you have a number of rights in relation to your personal data.
Right to Access – you may request a copy of the personal information that we hold about you.
Right to Rectification – You have a right to have data corrected if you believe that the data that we hold on you is incorrect. We would love to hear from you if you feel that we have something wrong.
Right to Erasure – In some circumstances, you have the right to have data we hold on you deleted.
Right to Restrict Processing – In some circumstances you have the right to ask us to stop processing your data without deleting it from our systems. You may do this for example if you want us to hold on to it for a different purpose.
Right to Object – You have the right to object to any processing that we undertake. We will take any objections into account but may override them if we can demonstrate that we need to continue with the processing. However, if the purpose we are processing your data is purely for marketing purposes, we always respect your right to object.
Right to Transfer – You have the right to have any data that we hold on you transferred to another controller.
Automated Decision Making – You have a right not to be subject to a decision based solely on automated processing, including profiling, if the decision produces legal effects for you or similarly affects you.
In the event that you wish to exercise any of your rights or that you wish to complain about how we have handled your personal data, please contact our Data Protection Officer at email@example.com or in writing at:
Cell and Gene Therapy Catapult
C/O Data Protection Officer
12th Floor Tower Wing, Guy’s Hospital
Great Maze Pond
Alternatively, you may contact us by telephone on 020 3728 9500
Our Data Protection Officer will then investigate your query or complaint and work with you to resolve the matter.
If you still feel that your personal data has not been handled appropriately according to the law, you can contact Information Commissioner’s Office (ICO) and file a complaint with them. The ICO can be contacted as follows:
Information Commissioner’s Office
Telephone: 0303 123 1113