Privacy Policy
- Purpose and scope of the Policy
Theravectys (“We” or “Us”) take the protection of privacy and personal data (“Personal Data”) very seriously.
Theravectys ensures that your Personal Data is processed fairly, lawfully, and transparently, in compliance with current regulations, particularly Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (hereinafter “GDPR”).
The purpose of this Policy is to provide you with simple and clear information on:
- the Personal Data we collect and the purposes of this collection;
- how we process this data;
- your rights regarding this data and how to exercise them.
This Policy applies to any natural person whose Personal Data We process in the course of our activities, with the exception of our employees: visitors to this website, patients participating in clinical trials, healthcare professionals, partners, suppliers, sub-processors, and other individuals in connection with us.
This Policy may evolve over time, notably to take into account changes in regulations and technological developments.
- Data Controller
For all processing operations covered by this Policy, the Data Controller is:
Theravectys
28 rue du docteur Roux, 75015, Paris
Company RCS : 482324282
You can contact our Data Protection Officer (DPO) at the following address: dataprotection@theravectys.com
- What categories of Personal Data do we process and why?
We collect different categories of Personal Data depending on our activities. For each specified purpose, we inform you of the categories of data collected, the lawful basis, and the retention periods.
We retain your Personal Data only for as long as necessary to fulfill the purpose for which it was collected. Retention periods vary depending on the needs of our activities, contractual requirements, legal obligations, and recommendations from supervisory authorities.
3.1. Management of clinical trials and related samples
Purpose of processing:
Personal Data is processed for scientific research purposes within the framework of biomedical research involving human subjects, aiming to evaluate the safety, tolerability, immunogenicity, and preliminary efficacy of a therapeutic vaccine on participants with oropharyngeal or cervical cancer.
Categories of Personal Data processed:
- Generic data: Identification data, professional life data, connection data.
- Sensitive Personal Data (Art. 9 of the GDPR): Data concerning physical or mental health, medical follow-up of the research participant (medical file, test analysis, etc.), ethnic origin, genetic or biometric data, biological samples from the biobank.
- Data processed for individuals other than research participants: Professional email address, place of practice address, telephone number, curriculum vitae, declaration in case of conflict of interest with the Research Sponsor.
Lawful basis for processing:
The processing is necessary for the performance of a task carried out in the public interest, in this case, biomedical scientific research addressing public health challenges.
Retention periods:
- Research data: Duration of the study, i.e., 3 years.
- Data of individuals other than participants: Duration of the study, i.e., 3 years.
- Data from samples: Duration of the study, i.e., 15 years.
3.2. Other Personal Data processing
In addition to our clinical research activities, we process Personal Data for the following purposes:
Management of intellectual property requirements:
- Categories of Personal Data: Identification data, professional life data, economic and financial data, banking data.
- Lawful basis: Legal obligation.
- Retention period: 5 years.
Management of suppliers and service providers:
- Categories of Personal Data: Identification data, professional data, banking data.
- Lawful basis: Performance of a contract or pre-contractual measures.
- Retention period: Duration of the contractual relationship, extended by statutory limitation or retention periods (5 years).
Contract management, Invoicing:
- Categories of Personal Data: Identification data, professional life data, banking data.
- Lawful basis: Performance of a contract or pre-contractual measures.
- Retention Period: Duration of the contractual relationship.
Accounting:
- Categories of Personal Data: Identification data, professional life data, banking data, invoicing data.
- Lawful basis: Legal obligation.
- Retention period: Statutory retention period (10 years).
Management of pre-litigation and litigation (excluding HR):
- Categories of Personal Data: Identification data, professional data, banking data.
- Lawful basis: Legitimate interest.
- Retention period: Duration of the judicial procedure and appeal periods, extended by statutory limitation periods.
Website Operation:
- Categories of Personal Data: Technical cookies.
- Lawful basis: Legitimate interest.
- Retention periods: Limited to what is strictly necessary to guarantee functionality, session duration or a maximum of 6 months.
- From whom do we collect your Personal Data?
Personal Data may be collected directly from you by us or, when necessary, indirectly by one of our partners or sub-processors. Your Personal Data is used only for the purposes that have been brought to your attention. In the event of indirect collection, we commit to informing the data subjects in accordance with current regulations, particularly Article 14 of the GDPR.
- With whom do we share your Personal Data?
Your Personal Data is processed by authorized personnel of Theravectys who need to access it in the course of their duties and in compliance with the aforementioned purposes.
We may also be required to disclose your Personal Data to the following categories of recipients:
- Partners and sub-processors involved in clinical trials: Research centers, investigating physicians, and other organizations collaborating with us for the conduct of clinical trials. These entities are subject to strict confidentiality and data protection obligations, in accordance with research protocols and applicable regulations.
- Processors: Service providers acting on our instructions and on our behalf (e.g., data hosts, IT service and solution providers, accounting firms, etc.). We ensure that our processors provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of your data.
- Public bodies, judicial auxiliaries, ministerial officers, lawyers, administrative or judicial authorities, in order to comply with any applicable law or regulation, or to respond to any judicial or administrative request, within the framework of fulfilling our legal obligations or to enable us to defend our rights and interests.
- Control services such as statutory auditors and auditors.
- Is your Personal Data transferred to a third country?
As part of our clinical trial activities, we collaborate with organizations located in the United States.
When data is transferred to a country that does not provide an adequate level of protection recognized by the European Commission (adequacy decision), we implement the necessary measures to ensure a level of protection equivalent to that required by the GDPR. These measures may include:
- The use of Standard Contractual Clauses (SCCs) adopted by the European Commission, combined if necessary with additional measures to ensure the security of transfers.
- Where applicable, verifying that the recipient adheres to a recognized certification mechanism offering sufficient guarantees (e.g., Data Privacy Framework for the United States, subject to its validity and certified companies).
- And, where appropriate, the implementation of complementary security measures.
- How is your Personal Data secured?
We implement appropriate technical and organizational security measures to protect your Personal Data against destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures notably include:
- Pseudonymisation;
- Encryption;
- Rigorous access management systems;
- Securing our premises and IT systems;
- A governance framework for Personal Data protection;
- Awareness-raising and training of our personnel in data protection;
- Implementation of security incident management procedures.
- What are your rights regarding your Personal Data and how can you exercise them?
In accordance with the GDPR, you have the following rights regarding your Personal Data:
- Right of access: Obtain confirmation as to whether or not your data is being processed, and if so, access it.
- Right to rectification: Request the correction of inaccurate data concerning you.
- Right to erasure (“Right to be forgotten”): Request the deletion of your data, under certain conditions.
- Right to restriction of processing: Request the suspension of the processing of your data, under certain conditions.
- Right to data portability: Receive the data you have provided to us, in a structured, commonly used, and machine-readable format, and transmit it to another data controller, when the processing is based on consent or a contract and is carried out by automated means.
- Right to object: Object at any time to the processing of your Personal Data, especially when the processing is based on legitimate interest, unless there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
- Right to withdraw your consent: If the processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to define post-mortem directives: You have the right to define directives concerning the retention, erasure, and communication of your Personal Data after your death.
For any questions related to this data protection policy or to exercise your rights, you can contact our DPO:
By postal mail:
Theravectys, 28 rue du docteur Roux, 75015 Paris
Attention: DPO
By email: dataprotection@theravectys.com
If you believe that your rights have not been respected after contacting us, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL).
CNIL contact details:
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
Website: https://www.cnil.fr
- Cookie Policy
Our website uses cookies to ensure its proper functioning. For more information on the use of cookies, please consult our dedicated Cookie Policy.