Privacy Notice
Oncopeptides AB (publ), reg. no 556596-6438, and our subsidiaries (” Oncopeptides”, ”we” or “us”) care about your privacy and it is important to us to protect your personal data and ensure that our processing of the data is conducted in a correct and lawful manner. Below it is described how we process personal data.
This privacy notice relates to processing of personal data for which Oncopeptides is the controller, which means that we are responsible for the processing of your personal data. It also means that you should turn to us with questions or remarks, or if you wish to enforce any of your rights in relation to our processing of your personal data.
Processing activities
Below you will find information about the purposes, types of personal data, legal basis and the storage time of the processing of personal data.
Clinical studies
Participants in clinical studies
We process pseudonymized personal data attributable to you as a participant in clinical studies. This means that all your clinical research data is coded, and your identity is not revealed to Oncopeptides at any time.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| For the performance of the study and development.
As required to comply with applicable laws and regulations. In aggregated and anonymized form in connection with scientific research. |
Pseudonymized personal data | We process personal data in clinical studies for the performance of a task carried out in the public interest, pursuant to Article 6.1(e). We also process personal data in clinical studies in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical study data in accordance with archiving obligations set up by the Clinical Trial Regulation (CTR) or, as may be the case, relevant national laws, to comply with legal obligations to which we are subject to.
We will need to process data about health in clinical studies. Health data is a “special category” of personal data under the GDPR. Special rules apply to this type of data. We process special category of personal data (sensitive personal data) only if one of the exceptions in Article 9 of the GDPR becomes applicable to the processing such as the exception in Article 9 (2)(i) or 9 (2)(j) GDPR. |
Personal data may be shared with authorized representatives of Oncopeptides as well as suppliers of Electronic Data Systems, central ECG:s, central X-rays, IWRS/IVRS (randomization technologies). |
| Retention and storage time: Clinical study data up to a period of 25 years. The published study results will only contain anonymized information regarding the participants. | |||
Health care professionals
We process personal data attributable to you as a health care professional participating in investigations and experiments of clinical studies.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| Investigating and experimenting to gather knowledge, test hypotheses, or solve problems. |
|
The legal basis for the processing of your personal data in connection with the clinical study is public interest, pursuant to Article 6.1(e), as the processing of your personal data is necessary for the performance of a task carried out in the public interest.
We also process personal data in clinical studies in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical study data in accordance with archiving obligations set up by the Clinical Trial Regulation (CTR) or, as may be the case, relevant national laws, to comply with legal obligations to which we are subject to. |
The responsible investigators name is mentioned in Protocols which are sent to relevant research ethics committees and/or authorities.
Health care professionals contact information may be shared with relevant recipients. |
| Retention and storage time: Clinical Study Agreement shall remain in effect until the final Study documentation required to be provided under the Protocol is received and accepted by CRO and the Sponsor, and CRO has performed a closeout visit at the Institution. Clinical study data up to a period of 25 years. | |||
Product Quality Complaints
We process personal data for reporters and patients for handling product quality complaints. Reporters are patients, relatives, physicians, pharmacists or other healthcare professionals reporting complaints.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| Personal data for reporters and patients are processed for handling product quality complaints, as required to comply with applicable laws and regulations. | The personal data we process about reporters – Health care professionals, pharmacists include:
The personal data we process about patients include:
Patient data is pseudonymized, unless needed as reporter contact. |
We have a legal obligation to ensure that complaints are traceable and available for follow up, to comply with applicable legislation, e.g. EU GDP (2013/C 343/01), Volume 4 EU GMP Chapter 4 and Chapter 8. The processing is therefore based on Article 6.1 (c) GDPR and Article 9.2 (i) GDPR.
|
We share your information with our affiliates and third parties, including service providers who may assist in the processes of complaint investigation. This includes receipt and follow-up of reported product quality complaints, and possibly regulatory reporting. |
| Retention and storage time: We will use and store your personal data in accordance with legal requirements governing storage of data regarding product quality. Such requirements oblige us to store the information for at least ten years after the end of the expiration of the marketing authorization or longer if required by national legislation. | |||
Pharmacovigilance and patient safety
We both collect personal data about the person who is subject to an adverse event report, as well as the person or third party making the report. When we refer to “adverse event” below, this may also include other safety information.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| All personal data are processed exclusively for pharmacovigilance purposes and only where relevant and appropriate to document, assess and report your adverse event properly in accordance with our legal obligations.
As Oncopeptides is obliged to take detailed records of every adverse event reported to us, for us to be able to evaluate and compare with other adverse events recorded about the product, we need to process necessary personal data. |
The personal data that we collect and process about reporters include:
and
The personal data that we collect and process about the person who is subject to an adverse event report may include:
|
Legitimate interest of reporter, pursuant to Article 6.1 (f) GDPR.
We have a legal obligation to ensure that adverse events are traceable and available for follow up, to comply with applicable pharmacovigilance laws. The personal data processing is therefore based on Article 6.1 (c) GDPR and Article 9.2 (i) GDPR. |
We share your information with our affiliates and third parties, including service providers who may assist in the pharmacovigilance processes. This includes receipt and follow-up of reported adverse events, regulatory reporting and signal evaluation. All these companies are bound by privacy obligations set forth by contract and/or law, and will only process your personal data in accordance with this privacy policy.
We are also obligated to submit the data to health authorities, for managing and analysing information on suspected adverse reactions. Additionally, your personal data may be disclosed to a third party if we are required to do so because of applicable law, court order or governmental regulation or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad. |
| Retention and storage time: We will use and store your personal data in accordance with legal requirements governing storage and reporting of pharmacovigilance related information. Such requirements oblige us to store the information for at least ten years after the marketing authorization has ceased to exist worldwide, or longer if required by national legislation. | |||
Early Access Program
We process personal data about physicians, pharmacists or patients.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
We process physician personal data:
We process pharmacist personal data:
We process patient personal data:
|
For physician we process the following personal data:
For pharmacist we process the following personal data:
We do not process any direct personal data related to the patient. For patients we process the following personal data:
|
We process physician and pharmacist personal data based on our legitimate interest, pursuant to Article 6.1 (f) GDPR, to administer the Early Access Program.
We do not process any direct personal data related to patient. We process information about age and health information based on our legitimate interest to validate patient eligibility for the Program and to comply with regulatory and safety reporting obligations, in accordance with Article 6.1 (f) GDPR and Article 9 (i) GDPR. |
Third-party service providers solely to allow the importation/supply of the Product to the Physician or the pharmacist as applicable. Only necessary data is shared and no information about the patient is shared.
Where required by law, governmental, tax, regulatory or similar authorities. |
| Retention and storage time: Personal data will be stored until the Program is closed. | |||
Established expert relationships (incl., HCPs, physicians and other distinguished professionals)
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| Communications with experts for collaborations and other engagements, e.g., in connection to our upcoming events or requesting input through surveys.
These distinguished expert insights significantly contribute to advancing discussions and the fostering of innovation within the life sciences community. |
Name, email, telephone number, CV.
Personal data necessary for domestic/international travel and accommodation in relation to events. Personal data necessary for financial compensation where applicable. |
Based on legitimate interest, we reach out to relevant stakeholders in accordance with Article 6 (1) (f) GDPR.
Any additional communication pursuant to our collaborative relationship is based on consent, in accordance with Article 6 (1) (a) GDPR. |
Business platform for professional contact management.
Where applicable, travel agencies and/or authorities issuing authorizations for entry (both independent data controllers). |
| Retention and storage time: For ongoing professional relationships, we retain personal data to facilitate continuous collaboration and communication. However, personal data necessary for single events, such as conference invitations, are retained only for as long as is necessary to manage the event and any related follow-up activities, unless otherwise necessary, appropriate and anticipated. | |||
Corporate partners
We may process personal data attributable to you as a corporate partner, e.g., vendor, supplier, distributor and research collaborator.
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| Project management.
Administering agreements with corporate partners, project participators and suppliers/distributors. Contacts regarding business and sales purposes and marketing. |
|
The personal data is processed for the purposes of, and based on our legitimate interest in, project management, administering agreements with corporate partners, project participators and vendors/suppliers/distributors, contacts regarding business and sales purposes and marketing. Furthermore, the personal data is processed for the purpose of, and based on our legitimate interest in, invoicing company partners.
We may process your social security number for the purpose of invoicing and other business administration conducted on the legal basis of being necessary for the performance of the contract with the sole trader and per requirements of the Swedish book-keeping legislation |
Business partners receive contact information.
Personal data processed for invoicing purposes is shared with The Swedish Tax Authority. |
| Retention and storage time: Personal data processed for the purpose of invoicing will be stored in accordance with requirements of the Swedish book-keeping legislation.
Personal data processed for the purpose of contacting the contact person for business and sales purposes will be deleted within six months as of the date the business relation with the business contact ends. Personal data processed for the purpose of marketing will be stored until you choose to opt out of additional marketing. |
|||
Investors and insiders
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| The purpose of our processing of investors’ personal data is to comply with legal obligations and provide information to relevant authorities.
For insiders the purpose of the processing is to comply with financial regulations and legislation, for being able to register insiders with the Financial Supervisory Authority and keep insider lists. |
We process investors’ name, social security number and postal address in accordance with requirements by law.
We process insiders name, e-mail, phone number and information about organisation/employer. |
We log investor meetings based on requirements by Law. We also process personal data for investors to stay in touch and keep track of interactions, based on our legitimate interest.
For insiders processing is based on our legal obligation to provide such information to the Financial Supervisory Authority and to comply with applicable laws and regulations. |
The Financial Supervisory Authority
CRM-platform provider. |
| Retention and storage time: In accordance with Swedish Book Keeping legislation, we store personal data about investors as long as they own shares.
Personal data about insiders is stored as long as necessary, in accordance with requirements by Law. |
|||
Job applicants
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| Personal data is processed in the recruitment process for the purpose of filling the position in question. | Name, email, phone number, CV, application and other personal data shared by the applicant. | We process job applicant’s personal data based on our legitimate interest to administer the recruitment process, in accordance with Article 6 (1) (f) GDPR. | E-mail system provider, when the job application is sent to us via e-mail. |
| Retention and storage time: Stored as long as necessary for the recruitment process. | |||
Subscribers to press releases
| Purposes | Personal data types | Legal basis | Recipients |
|---|---|---|---|
| To inform subscribers about the latest news and updates from us. | Name, email address and company attributable to you as a subscriber to our newsletter. | We process personal data based on consent, in accordance with Article 6 (1) (a) GDPR. | Platform provider for press releases. |
| Retention and storage time: We process personal data related to press releases until you withdraw your consent. | |||
Place of processing
We process your personal data within the EU/EEA. However, your personal data may be processed in other countries where we have facilities or service providers. Examples of this can be when participating in clinical studies not located in Europe. Appropriate contractual and other measures are in place to protect personal data when it is transferred to our affiliates or third parties in other countries, in accordance with Articles 44-49 in the GDPR and applicable national data protection legislation.
Some non-European Economic Area (EEA) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards. For transfers from the EEA to countries not considered adequate by the European Commission, we have ensured that adequate measures are in place, including ensuring that the recipient is bound by EU Standard Contractual Clauses, or an EU-approved code of conduct or certification, to protect your Personal Data.
If you have further questions concerning the transfer of your personal data outside the EU/EEA, you may contact us at privacy@oncopeptides.com
Your rights as a data subject
You are entitled to exercise the following rights by getting in touch with our Data Protection Officer, privacy@oncopeptides.com.
In case you are a participant in a clinical study, you should primarily contact your treating doctor in your study centre as only the study centre will have full access to your personal data and therefore the means to assist you.
Right to withdraw consent
If we process personal data about you with consent as a legal basis you may withdraw your consent at any time by contacting privacy@oncopeptides.com or your health care provider. However, in certain cases we may need to further process your personal data in accordance with law.
Right to be informed
You have the right to be informed concerning our processing of your personal data. This is carried out by providing you with information in this Privacy Notice, specific information forms provided to you or by answering your questions sent to us.
Right of access
You have the right to obtain information on the processing of your personal data, and if so, receive a copy of it. Such a copy is commonly referred to as a Data Subjects Access Request (DSAR).
Right to rectification
If you deem your personal data inaccurate or incomplete, you have the right to have the data corrected (rectified). This also means that you have the right to add such personal data that is missing and that is relevant taking into account the purpose of the personal data processing. We must also ensure that the data is accurate and up to date. If data is rectified at your request, we must also inform you that data has been rectified. This does not however apply if it should prove to be impossible or would involve excessive effort.
Right to erasure
You have the right to contact us when we process your personal data and request that the data relating to you to be erased. There are exceptions to the right to erasure and the obligation to inform others if it is necessary to satisfy other important rights such as the right to freedom of expression and freedom of information, fulfil a legal obligation, carry out a task in the public interest or as part of the exercise of official authority.
Right to restriction
In certain cases, you have the right to demand limitation of the processing. ”Limitation” means that the data is flagged so that it in future may only be processed for certain limited purposes. The right to restriction applies among other things when you as a data subject consider that the data is inaccurate and have requested rectification. You can in such cases also request that the processing of your personal data be limited while the accuracy of the data is investigated.
Right to data portability
In certain instances, you have the right to transfer your personal data from one controller to another, provided you have given us consent to the data processing, or you have concluded a contract with us. This can either be carried out by the controller which data is being transferred from, or that you receive the personal data in a commonly used machine-readable format.
Right to object
When the processing is based on public or legitimate interest you have the right to object to the processing. If we cannot prove that there is a justified public or legitimate interest, we must cease the processing of that personal data.
Right to file a complaint to the supervisory authority
You can file a complaint to the Swedish supervisory authority or other supervisory authorities where you are located.
More information about your rights
You can read more about your rights as a data subject under the GDPR on the Swedish supervisory authority’s webpage here: https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/
Information about cookies
Read more about how Oncopeptides processes cookies (electronic information about your visit to the website) here.
Contact details
If you have any questions or wish to exercise your rights you can contact our Data Protection Officer (DPO) by e-mail.
E-mail DPO: privacy@oncopeptides.com
Oncopeptides AB (publ)
Att: DPO
Luntmakargatan 46, 7 tr
SE-111 37 Stockholm, Sweden
Latest updated 2025-06-23