1. XNK THERAPEUTICS SAFEGUARDS YOUR PERSONAL INTEGRITY
XNK Therapeutics AB, corp. reg. no. 556894-6601, Hälsovägen 7, Novum, SE-141 57 Huddinge, Sweden (the “Company”), respects your privacy and is committed to maintaining a high level of security and integrity regarding your personal data. The Company is also committed to ensuring that processing is carried out in accordance with the general data protection regulation.
This Privacy Policy describes how the Company processes your personal data in your role as a representative for a company that is a partner/supplier or a potential partner/supplier to the Company. Furthermore, this privacy policy describes how the Company processes your personal data when you visit our website xnktherapeutics.com, when you apply for employment with us, and when you are participating in a clinical study that we are conducting.
If you have any questions regarding the Company’s privacy protection, please don’t hesitate to contact us by sending an email to privacy@xnktherapeutics.com.
2. CONTROLLER AND DATA PROTECTION OFFICER
The Company is the controller of your personal data and is therefore responsible for ensuring that your personal data is handled in a correct and secure way in accordance with applicable legislation.
The DPO is responsible for, among other things, to monitor and ensure that the Company’s processing of personal data is compliant with applicable legislation. For further information, please contact the DPO at privacy@xnktherapeutics.com.
3. WHAT KIND OF PERSONAL DATA DOES THE COMPANY PROCESS?
Personal data means any information that directly or indirectly relates to a natural, living person. Accordingly, personal data is information about you and your person, e.g. name, contact information, pictures of you and personal identification number.
Processing means any operation which is performed on personal data, such as collection, storage, use, adaption or disclosure.
3.1 Company representatives for e.g. suppliers and partners
The Company collects and stores the following information about you that the Company needs to be able to contact you in your role as a representative for a company or organisation.
- Personal information and contact information, such as name, address, telephone number, email address, title, position and employer.
- Information that you provide to the Company by email, when you are active on the Company’s social media or by other channels of communication.
- Where applicable, information regarding dietary preferences, potential allergies and/or disabilities (e.g. in connection with corporate events or meetings).
Your personal data is usually collected from the company or organisation that you represent, but also, where appropriate, directly from you, through email correspondence or by way of other communication in connection with your attendance at company events or meetings. The Company may also obtain personal data about you from other partners of the Company. The Company also uses external information services to supplement existing data with, e.g., your position and contact information.
Potential partners/suppliers and company representatives for potential partners/suppliers
The Company collects and stores the following information about you in your role as a potential partner/supplier to the Company, or in your role as a representative for a company that is a potential partner/supplier to the Company.
- Personal information and contact information, such as name, address, telephone number, email address, title, position and employer.
- Information that you provide to the Company by email, when you are active on the Company’s social media or by other channels of communication.
Your personal data is usually collected from the company or organisation that you represent, but also, where appropriate, directly from you, through email correspondence or by way of other communication in connection with your attendance at company events or meetings. The Company may also obtain personal data about you from other partners of the Company. The Company also uses external information services to supplement existing data with, e.g., your position and contact information.
Visitors of the Company’s website
In connection with visits to the Company’s website, the Company collects the following information about you that the Company needs to be able to improve, streamline, simplify and develop our website.
- Technical data, such as IP address, MAC address, URL, unique device ID, network and device performance, browser, language and identification settings, geographic location, operating system, other information from cookies or similar mechanisms (device information).
Personal data is provided to the Company directly from you when you visit our website.
Recruitment (job applicants at the Company)
The Company collects and stores the following information about you that the Company needs to be able to recruit the right persons for positions with the Company.
- Personal information and contact information, such as name, address, telephone number, email address, title, position and employer.
- Information in cover letter and CV.
- Where applicable, your picture.
- Other information that you provide the Company in connection with recruitment.
Personal data is provided to the Company directly from you or from a staffing agency, recruitment company or hiring company through which you apply for work.
Participants in clinical studies
The Company collects and processes the following personal data about you, when you are participating in a clinical study conducted by the Company.
- Personal identification number
- Age
- Sex
- Name (signature)
- Health data (illness, data from blood sample, data from standard analyses)
- Where applicable, results from the study (expanded and activated NK cells)
Personal data is provided to the Company directly from you or from a partner involved in the same clinical study.
4. THE COMPANY’S PROCESSING OF YOUR PERSONAL DATA
The purposes for which we intend to process your personal data and the legal basis for the respective processing activities are stated in the tables below.
Company representatives for e.g. suppliers and partners
| Purpose | Legal basis |
| To be able to manage the relationship with a representative of the supplier or partner. | The processing is necessary for the Company’s legitimate interest to keep in touch with you in order to fulfill its obligations under the agreement with its supplier or partner, i.e. the company that you represent (legitimate interest). |
| To fulfill legal requirements, e.g. security requirements and accounting requirements. | The processing is necessary for compliance with the Company’s legal obligations. |
| To enable marketing and communication (e.g. mailing of newsletters and other marketing materials, invitations to the Company’s events, meetings and other gatherings etc.). | The processing is necessary for the Company’s legitimate interest to market itself to the company that you represent (legitimate interest). |
Potential future suppliers or partners
| Purpose | Legal basis |
| To enable marketing and communication about the Company’s brand and the Company’s products (e.g. mailing of newsletters and other marketing materials, invitations to the Company’s events, meetings and other gatherings etc.). | The processing is necessary for the Company’s legitimate interest to market its brand, its products and other similar products to you or to the company that you represent (legitimate interest). |
Visitors of the Company’s website
| Purpose | Legal basis |
|
To ensure the operation of the Company’s website and application. To be able to develop the Company’s website and to better adapt the website based on how it is used. |
The processing is necessary for the Company’s legitimate interest to improve, streamline, simplify and develop its website and to market the Company and its business (legitimate interest). |
Recruitment (job applicants at the Company)
| Purpose | Legal basis |
| To, in connection with recruitment, be able to decide who is best suited for a position with the Company and to ensure that the relevant person has the necessary skills. | The processing is necessary for the Company’s legitimate interest to recruit the right employees and ensure that skilled people work for the Company (legitimate interest). |
Participants in clinical studies
| Purpose | Legal basis |
| To conduct a clinical study. | The Company’s processing is based on your consent. |
Any of the above (when applicable in connection with legal proceedings)
| Purpose | Legal basis |
| To establish, exercise or defend legal claims. | The processing is necessary for the Company’s legitimate interest to establish, exercise or defend legal claims (legitimate interest). |
5. FOR HOW LONG DOES THE COMPANY KEEP YOUR PERSONAL DATA?
Your personal data is kept for as long as there is a need to preserve them in order to fulfil the purposes for which the personal data was collected in accordance with this Privacy Policy. Thereafter, your personal data will be deleted.
Some personal data will, for the purpose of complying with applicable accounting legislation, be stored for seven years, counting from the end of the calendar year during which the financial year, to which the information pertained, was terminated.
For participants in clinical studies your personal data must be stored for 30 years due to pharmaceutical traceability purposes.
Contact information regarding company representatives is stored during such time the Company considers that the information is necessary to maintain the relationship with the company/organisation. Deletion shall take place when the Company becomes aware that the information is no longer adequate or relevant for the purpose, or at the request of the contact person.
Personal data that is processed based on your consent will be deleted if you withdraw your consent. You can at any time withdraw your consent to such processing by contacting us. For contact details see section “Contact” below.
For more information about how long the Company stores specific personal data, please contact the Company. Contact information is provided under section ”Contact” below.
6. WITH WHOM DOES THE COMPANY SHARE YOUR PERSONAL DATA?
The Company does not disclose personal data to third parties, except when necessary to fulfil a legal obligation or to fulfil the Company’s obligations to you, suppliers and partners. Your personal data will not be sold to third parties for marketing purposes. Situations when your personal data may be disclosed to third parties are listed in the table below.
| Third party | Reason for third-party disclosure |
| Suppliers of cloud solutions | Personal data may be transferred to suppliers of cloud solutions since the Company stores certain information in cloud solutions. |
| Suppliers and partners | The Company may disclose your personal data to suppliers and/or partners, if the suppliers and/or partners need your personal data to fulfil their undertakings toward the Company. |
| Authorities | Personal data may be disclosed to authorities when necessary for compliance with the Company’s legal obligations. |
| Acquirers and investors | If the Company intends to transfer all or part of its business, personal data may be disclosed to a potential buyer, and if a third party wants to invest in the Company, personal data may be transferred to such potential investor. |
| In connection with legal proceedings | If the Company is involved in legal proceedings, personal data may be transferred to third parties involved in such proceeding, including third parties in third countries (in which case such transfer is necessary for the establishment, exercise or defence of legal claims). |
7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Company may transfer your personal data to countries outside the EU/EEA. If personal data is transferred to a country outside the EU/EEA, the Company will take measures to ensure that the personal data continues to be protected and will also take the necessary measures to ensure a legal transfer of the personal data to countries outside the EU/EEA.
The Company uses the services of IT suppliers, whereby your personal data may be transferred to the United States. The Company has ensured that your rights are guaranteed when transferring personal data to the United States by signing the European Commission’s standard contractual clauses with the relevant IT suppliers. More information regarding the European Commission’s standard contractual clauses is available at the Swedish Authority for Privacy Protection’s website.
8. SOCIAL MEDIA
Regarding personal data that occurs and is processed on social media, such as LinkedIn, we refer users to the policy provided by the respective service providers for information on how each service provider processes personal data. In the Company’s view, the purpose of the processing is that representatives of existing and potential partners to the Company shall be able to interact and maintain contact with the Company via social media, and in order to contribute to good relationships with partners and potential partners. The processing is necessary for the purposes of the Company’s legitimate interest to market its brand and its business to existing and potential partners or investors (legitimate interest).
9. YOUR RIGHTS
As the controller, the Company is responsible for ensuring that your personal data is processed in accordance with applicable legislation.
The Company will, at your request or on its own initiative, rectify, erase or complete any information found to be inaccurate, incomplete or misleading.
You have the right to request access to and rectification or erasure of your personal data (e.g., if such erasure is required by applicable law), request restriction of the processing of your personal data and object to the processing, as permitted by applicable personal data legislation (e.g. if you contest the accuracy of the personal data or if the processing is unlawful but you oppose the erasure of the personal data and request restriction of its use instead). The Company will notify each recipient to whom the personal data has been disclosed in accordance with section 6 above regarding any rectifications or erasures of personal data as well as of restriction of processing of data according to this section 9.
Under certain conditions, you have the right to data portability, i.e., a right to receive your personal data in a structured, commonly used and machine readable format and the right to transmit those data to another controller.
If you do not want the Company to process your personal data for direct marketing purposes, you have the right to object to such processing at any time. When the Company has received your objection, the Company will cease the processing of your personal data for such marketing purposes.
You have the right, through a written and signed application, to obtain free of charge a register extract from the Company regarding which personal data are stored about you, the purposes of the processing and to which recipients the data has been or shall be transferred. You also have the right to obtain information about the envisaged period for which the personal data will be stored or the criteria used to determine this period. You also have the right to receive information about your other rights as specified in this paragraph 9.
We look forward to hearing from you if you have any complaints regarding the Company’s processing of your personal data, in order to correct our processing if necessary. You also have the right to file complaints regarding the Company’s processing of your personal data with the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten).
10. SECURITY OF YOUR PERSONAL DATA
You should always be able to feel safe when you provide us with your personal data. Therefore, the Company has implemented the security measures necessary to protect your personal data against unauthorised access, alteration and destruction. The Company will not disclose your personal data, other than as expressly provided by this Privacy Policy.
11. CHANGES
The Company reserves the right to change this Privacy Policy at any time. In the event of changes to this Privacy Policy, the Company will publish the amended Privacy Policy on the Company’s website with information on when the changes will come into effect, and notify relevant parties in an appropriate manner.
12. CONTACT INFORMATION
Do not hesitate to contact the Company if you have any questions about this Privacy Policy, the processing of your personal data or if you wish to exercise your rights under this Privacy Policy or applicable legislation.
The Company’s contact information:
XNK Therapeutics AB
Corporate registration number: 556894-6601
Postal address: Hälsovägen 7, Novum, SE-141 57 Huddinge, Sweden
Email address: privacy@xnktherapeutics.com