Privacy NoticePrintable Version

Table of Contents

  1. Who does this privacy notice apply to?
  2. Purpose of this privacy notice
  3. About us
  4. How to contact us
  5. What personal data we collect
  6. How we collect and receive personal data
  7. Whom we collect personal data about
  8. How we use your personal data
  9. If you fail to provide your personal data
  10. How we obtain your consent
  11. Third party links and services
  12. Sharing personal data
  13. Transfers of your personal data
  14. How long we keep your personal data
  15. Confidentiality and security of your personal data
  16. Personal data of children
  17. How to access your information and your other rights
  18. Changes to this privacy notice

 

Privacy Notice
Sosei Heptares Group

Last updated: October 2022 

Scope

This Privacy Notice (“Privacy Notice”) sets out how Sosei Group Corporation and any firm, company, corporation or other organisation which is a subsidiary or affiliate for the time being of Sosei Group Corporation (“Sosei Heptares”) processes your personal data in connection with its business including the provision of the Sosei Heptares website (the “Site”), and provision of services (together “Services”). Sosei Heptares places great importance on the protection of your personal data and is committed to complying with all applicable data protection laws and regulations (including, but not limited to, the EU General Data Protection Regulation 2016 and the EU GDPR as it is saved and incorporated into UK law by section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018) (UK GDPR)).

1. Who does this privacy notice apply to?

This Privacy Notice specifically applies to the processing of personal data of clients, suppliers, shareholders, job applicants, trial participants and other third parties that we interact with during the day to day provision of our Services. If you are engaged as a staff for Sosei Heptares, please see our Workplace Privacy Notice which sets out further information about how we may process your personal data in connection with your employment and/or engagement.

This Privacy Notice applies to the processing of personal data carried out by any Group Company of Sosei Heptares.

2. Purpose of this privacy notice

This Privacy Notice explains our approach to any personal data that we might collect from you or which we have obtained about you from a third party, and the purposes for which we process your personal data. This Privacy Notice also sets out your rights in respect of our processing of your personal data. For more information click here.

When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.

This Privacy Notice informs you of the nature of the personal data about you that is processed by us and how you can request that we delete it, update it, transfer it and/or provide you with access to it.

This Privacy Notice is intended to assist you in making informed decisions when using the Site and our Services. Please take a moment to read and understand it. It should be read in conjunction with our Terms of Use and our Cookie Policy.

This Privacy Notice only applies to the use of your personal data obtained by us, whether from you directly or from a third party. It does not apply to personal data collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control, or you purchase goods or services from those third parties).

3. About us

Our Services are made available by various companies in the Sosei Heptares group of companies (each a “Group Company”).

Where this Privacy Notice refers to “Sosei” “we”, “us, “our”, this means one or more of the particular Group Companies that provide the Service to you. For more information about our Group Companies, including their respective roles and responsibilities click here.

For the purpose of EU and/or UK data protection legislation, where each Group Company’s processing in connection with its role stated above is caught by the requirements of EU and/or UK data protection legislation, each Group Company will be considered a controller of your personal data, except that:

·       Heptares Therapeutics Ireland Limited is considered a processor of your personal data acting on behalf of the other Group Companies; and

·       Sosei Group Corporation and Heptares Therapeutics Limited will be considered joint controllers in respect of any personal data processed relating to recruitment and investor/shareholder relations. To the extent you have any questions or requests in connection with this processing, Heptares Therapeutics Limited shall be considered your primary point of contact and responsible for managing such questions or requests.

4. How to contact us

If you have any questions about this Privacy Notice or want to exercise your rights set out in this Privacy Notice, you can contact us by:

  • using the “Contact Us ” form on our Site, found under either the Contact page or the Contact IR page.
  • for exercising your rights: sending an email to GDPR@soseiheptares.com
  • for general queries: sending an email to GDPR@soseiheptares.com
  • writing to the address of the relevant company as set out in Section 3.

5. What personal data we collect

In the course of providing you with Site and Services, we may collect the following types of personal data about you:

  • Contact Data, such as:
    • name;
    • postal code
    • address;
    • email address;
    • telephone number; and
    • the name of your organisation;
  • Health Data (to the extent you participate in a Heptares sponsored trial), such as:
    • pre-existing medical conditions;
    • medical information collected during a clinical trial; and
    • other relevant health data including data about lifestyle and genetics/response to medication;
  • Payment Data, such as:
    • bank and account details; and
    • information relating to a particular transaction;
  • Profile Data, such as:
    • user interests and preferences;
    • user contact preferences;
    • whether you have participated in any trials; and
    • information about any of our events that you have attended
  • Behavioural Data, such as:
    • data relating to your browsing activity, through the use of cookies, pixel tags and other similar technologies; and
    • when your current or previous sessions started
  • Technical Data, such as:
    • IP address;
    • browser type and operating system;
    • geolocation, to ensure we’re showing you the correct notices and information; and
    • any other unique numbers assigned to a device.
  • Job Applicant Data, such as
    • first name and last name;
    • date of birth;
    • gender;
    • country;
    • nationality;
    • academic qualifications;
    • employment history;
    • remuneration package;
    • entitlement to work information; and
    • disability information.

6. How we collect and receive personal data

We collect and receive personal data using different methods:

  • Personal data you provide to us. For more information click here.
    You may give us your personal data directly. This will be the case when, for example, you contact us with enquiries, complete forms on our Site, subscribe to receive our marketing communications or provide feedback to us.
  • Personal data we generate about you. For more information click here.
    We may generate Health Data and/or Profile Data as a result of the provision of our Services and/or our interactions with you.
  • Personal data we collect using cookies and other similar technologies. For more information click here.
    When you access and use our Site, we will collect certain Behavioural Data or Technical Data. We collect this personal data by using cookies and other similar technologies (see the ‘Insight, analysis and retargeting through Cookies'’ section below).
  • Personal data received from third parties. For more information click here.
    From time to time, we will receive personal data about you from third parties. Such third parties may include analytics providers, external Clinical Research Organisations, independent consultants, data brokers, payment providers and third parties that provide technical services to us so that we can operate our Site and provide our Services.
  • Publicly available personal data. For more information click here.
    From time to time we may collect personal data about you (Contact Data) from publicly available sources (including open source data sets), media reports or that you or a third party may otherwise make publicly available (for example through speeches at events or publishing articles or other news stories).

7. Whom we collect personal data about

We collect and process personal data from the following people:

  • Clinical Trial Participants. For more information click here.
    If you are involved in a clinical trial or participate in one of our research projects, we may process personal data about you in connection with your participation. You may be provided with a separate privacy notice in relation to this data processing activity.
  • Site visitors. For more information click here.
    If you browse our Site, contact us with an enquiry through our Site, submit a complaint through our Site or use any Services available on our Site, we will collect and process your personal data in connection with your interaction with us and our Site.
  • Visitors to our offices or operations facilities. For more information click here.
    If you attend our offices or operations facilities, we may process personal data that you volunteer in connection with your visit and any enquiries you make. For example, you may volunteer personal data when signing in as a guest. CCTV footage may also be collected for security purposes.
  • Event attendees. For more information click here.
    If you attend one of our events, we will process personal data about you in connection with your attendance at the event. For example, we may ask you to complete a registration or feedback form, or other documents relating to the event.
  • Personnel that work for our clients, partners and suppliers (including subcontractors and personnel who work for us as freelancers or contractors). For more information click here.
    If you (or your organisation) are:
    a) in receipt of services from us;
    b) supply products or services to us; or
    c) otherwise partner with us;
    we may collect and process your personal data in connection with our provision of those services to you, our receipt of those products and services from you and/or our partnership. This may include personal data included in any email or telephone communications or recorded on any document relating to an order for the products or services, such as your Contact Data.
  • Job applicants. For more information click here.
    If you apply for a job with us, whether through the Career Page on our Site or otherwise, we will collect and process your personal data in connection with your application.
  • Shareholders. For more information click here.
    If you are a shareholder of our Group Companies, we will process your personal data in relation to your investment and for our reporting obligations.

8. How we use your personal data

We use your personal data for the following purposes:

  • Provision of our Service. For more information click here.
    We may collect and maintain personal data that you submit to us or we otherwise obtain and/or generate for the purpose of supplying our Services.

    For example, if you are participating in a trial or research project, the personal data we process may include Contact Data, your Payment Data, Profile Data and Health Data. Additional information about how we and our third party partners process your personal data in connection with a particular trial may be provided to you prior to your participation in that trial by way of a trial specific privacy notice.

    If you work for a client or partner or subcontractor, the personal data we process may include your Contact Data and Payment Data (where applicable). We process this information so that we can fulfil the supply of Services, maintain our user databases and to keep a record of how our Services are being used.

    If you attend one of our offices or operations facilities, we will process personal data about you which you volunteer in connection with your visit and any enquiries you may have. This will usually include your Contact Data, and any other personal data you volunteer.

    Some Services we offer are also subject to separate terms and conditions which will also apply.

    Our legal basis for processing

    It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you, or it is in our legitimate interest or the legitimate interest of the organisation with whom you work to use personal data in such a way to ensure that we provide our services in an effective, safe and efficient way.

    Where we process information about your health, we will do so with your explicit consent or, where relevant, process your health data for the purpose of scientific research.

    For further information about any other lawful bases we may rely on in respect of the personal data we process in connection with a particular trial, please see the relevant trial specific privacy notice.

  • Use of our Site. We collect and maintain personal data that you submit to us during your use of our Site in the following ways.
    • Contact us. For more information click here.
      Our Site features a “Contact” page which invites you to submit general enquiries about our Site and our Services by email.

      When you make an enquiry, we will collect and process your Contact Data and certain Profile Data, as well as any other personal data that is relevant to your enquiry. We use this information to manage and respond to your enquiry.

      Our legal basis for processing

      It is in our legitimate interest to use your personal data in the ways described above to ensure that we are able to help you with your enquiry and provide a good standard of service to you.

    • Your contributions to our Site. For more information click here.
      If you write an article or blog for us or contribute in any other way to publications we send to our members and/or publish on our Site or in print, we may use your personal data (such as your Contact Details) to credit you for your contribution. If you provide photographs or other images in support of your article or blog, we may publish one or more of those images alongside your article or blog.

      If you submit any other content to us, including via our Site, such as photographs, quotes or testimonials, we may process any personal data comprised within that content for the purposes of promoting our Site and Services.

      Our legal basis for processing

      Where we use your content in connection with Services that we provide via our Site, it is in our legitimate interest to use any personal data that you provide to us to ensure that we provide the relevant Service in an effective way.

    • Insight, analysis and retargeting through cookies. For more information click here.
      We and our third party partners use cookies, web beacons, pixel tags and other similar technologies (which we generically refer to as “Cookies”) to collect data from the device(s) that you use to access our Site. The data that is collected includes Behavioural Data and Technical Data, and certain Profile Data.

      Please see our Cookie Policy for further information, including details of the third party partners that are used.

      We and our third party partners use this data, in combination with your Contact Data, to analyse how you use, and the effectiveness of, our Site and Services, including:

      • to count users who have visited our Site and collect other types of information, including insights about our visitors’ browsing habits, which helps us to improve our Site and Services;
      • to measure the effectiveness of our content;
      • to learn what pages of our Site are most attractive to our visitors, which parts of our Site are the most interesting and what kind of features and functionalities our visitors like to see; and
      • to help us with the selection of future service lines, website design and to remember your preferences.

      Our legal basis for processing

      Where your data is collected through the use of non-essential cookies, we rely on consent to collect your data. Please see our Cookie Policy for further details.

      However, we may rely on other legal basis when we use your personal data that has been collected via the use of Cookies for the purposes described in this section.

      Where we use this personal data to analyse how you use our Site and Services, it is in our legitimate interest to use your personal data in such a way to improve our Site and our Services.

  • General enquiries. For more information click here.
    When you make an enquiry whether by post, telephone, email or using the Contact page, the Contact IR page or otherwise, we will collect and process your Contact Data as well as any other personal data that is relevant to your enquiry. We use this information to manage and respond to your enquiry.

    We may record (including voice recordings of telephone conversations) and use the information referred to above to train our personnel so that they can effectively deal with enquiries.

    Our legal basis for processing

    It is in our legitimate interest to use your personal data in the ways described above to ensure that we are able to help you with your enquiry and provide a good standard of service to you.

  • Hosting and managing events. For more information click here.
    From time to time, we may organise and host events for purposes such as obtaining investment for a particular project and/or shareholder meetings. We may process your Contact Data to communicate with you about such events where you have specifically requested information about such events or where we have another lawful basis for sending that information to you.

    If you attend one of our events, we may use your Contact Data to record your attendance at the event and for related record-keeping purposes and, if relevant, we may collect and process any dietary requirements you may have. You may also feature in photographs taken at our events and such photographs may appear in publications that we make available.

    Our legal basis for processing

    It is necessary for us to use your personal data in this way to perform our obligations in accordance with any contract that we may have with you where you have signed up to attend an event, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that the event is operated in an effective way.

    We may specifically ask your permission to use your photographs, quotes, testimonials, or other content that you make available or publish at the event. Where this is the case, our processing of such personal data will be based on consent.

  • Surveys and feedback. For more information click here.
    From time to time, we may invite you to provide feedback about us, our Site or our Services in the form of online, postal or email surveys. We will collect and process your Contact Data, certain Profile Data, and any other personal data you choose to volunteer in your survey response or other feedback.

    We use this information to help us to monitor and improve our Site, our Services and to assist with the selection of future service lines, and to train our personnel.

    You can also voluntarily provide feedback by contacting our Investor Relations team. Please see the ‘General enquiries ’ section above or details set out in the “How to Contact Us ” section above for more information.

    Our legal basis for processing

    It is in our legitimate interest to use the personal data provided by you so that we can improve our Services and provide them in an effective way.

  • Marketing activities. We carry out the following marketing activities using your personal data:
    • Postal marketing. For more information click here.
      We use your Contact Data to send you (or the organisation you represent) marketing communications by post. Our postal marketing communications will include press releases and information about our Services, as well as general information about our organisation, our Site, and the events and promotions we offer from time to time.

      Our legal basis for processing

      It is in our legitimate interest to use your personal data for postal marketing purposes.

    • Email marketing. For more information click here.
      We use your Contact Details to send you (or the organisation you represent) marketing communications by email. Our email marketing communications will include press releases and information about our Services, as well as general information about our organisation, our Site, and the events we offer.

      Our legal basis for processing

      We will rely on our legitimate interests to send you email marketing communications. However, where required by law we will obtain your consent to receive such communications, including via Email Alerts on our Site. Where we obtain your consent, you have the right to opt-out of our use of your personal data to provide email marketing to you.

  • Investor/shareholder relations. For more information click here.
    We may process your personal data in relation to managing our investor/shareholder relationships, including collecting your personal data via our Site and using your personal data to send you investor related or shareholder communications about our products, performance and events. Our “Contact Us by Email ” links and Email Alerts “Subscribe/Unsubscribe ” links are provided and hosted by our service provider Piped Bits Co.,Ltd (registered address: Orix Akasaka 2-Chome Building, 2-9-11 Akasaka, Minato-ku, Tokyo, Japan). For more information on how they process your data, please see their privacy policy on their website.

    Our legal basis for processing

    We will rely on our legitimate interest to use the personal data collected via our Site so that we can send you investor related or shareholder communications. However, where required by law we will obtain your consent to receive such communications, including via Email Alerts on our Site. Where we obtain your consent, you have the right to opt-out of our use of your personal data to provide such communications to you.

  • Staff Recruitment. For more information click here.
    We use your personal data for recruitment purposes, in particular, to assess your suitability for any of our positions that you apply for, whether such application has been received by us online via our Career Page, by email or by hard copy and whether submitted directly by you or by a third party recruitment agency on your behalf. Our online recruitment portal on our Career Page is provided and hosted by our service provider Cezanne HR Limited (registered address: 46 Loman Street, London SE1 0EH), with whom we have entered into appropriate data processing agreements.

    We also use your Contact Data to communicate with you about the recruitment process, to keep records about our recruitment process and to comply with our legal and regulatory obligations in relation to recruitment.

    We will process any personal data about you that you volunteer, including during any interview or other forms of assessment, including online tests, when you apply for a position with us. These processes may be described in more detail in separate privacy notices.

    We may also process your personal data obtained from any third parties we work with in relation to our recruitment activities, including without limitation, recruitment agencies, background check providers, credit reference agencies and your referees.

    The personal data we process may include your Contact Data, Job Applicant Data, any other personal data which appears in your curriculum vitae or application, and any personal data that you volunteer during an interview or your interactions with us, or any personal data which is contained in any reference about you that we receive. Such information may also include special categories of personal data (such as information about your health, any medical conditions, disabilities which we need to make reasonable adjustments for during the recruitment process and your health and sickness records) and information relating to criminal convictions and offences if that information is relevant to the role you are applying for.

    We also use your personal data for the purposes of reviewing our equal opportunity profile in accordance with applicable legislation. We do not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation. All employment-related decisions are made entirely on merit.

    You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

    Our legal basis for processing

    Where we use your personal data in connection with recruitment, it will be in connection with us taking steps at your request to enter into a contract we may have with you or it is in our legitimate interest to use personal data in such a way to ensure that we can make the best recruitment decisions.

    We will not process any special (or sensitive) categories of personal data or personal data relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent.

  • Receipt of services from suppliers. For more information click here.
    If we have engaged you or the organisation you represent to provide us with products or services (for example, if you or the organisation you represent provide us with services such as IT support or financial advice), we will collect and process your personal data in order to manage our relationship with you or the organisation you represent, to receive products and services from you or the organisation you represent and, where relevant, to provide our Services to others.

    The personal data we collect from you may include your Contact Data and certain Payment Data, and any other personal data you volunteer which is relevant to our relationship with you or the organisation you represent.

    Our legal basis for processing

    It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you or it is in our legitimate interest to use personal data in such a way to ensure that we have an effective working relationship with you or the organisation you represent and are able to receive the services that you or your organisation provides, and provide our Services to others, in an effective way.

  • Security. For more information click here.
    We have security measures in place at our offices and operations facilities, including CCTV and building access controls. There are signs in place showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft).

    We may require visitors to our premises to sign in on arrival and where that is the case we will keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need-to-know basis (e.g. to look into an incident).

    Our legal basis for processing

    It is in our legitimate interests to process your personal data so that we can keep our offices and operations facilities secure and provide a safe environment for our personnel and visitors to our offices and operations facilities.

  • Business administration and legal compliance. For more information click here.
    We use your personal data for the following business administration and legal compliance purposes:
    • to comply with our legal obligations;
    • to enforce our legal rights;
    • to ensure compliance with our terms and policies, for example, to prevent or detect fraud or other crimes;
    • to protect the rights of third parties; and
    • in connection with a business transition such as a merger, reorganisation, acquisition by another company, or sale of all or a portion of our assets.

    Our legal basis for processing

    Where we use your personal data in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, we have a legal obligation to use your personal data to comply with any legal obligations imposed upon us such as a court order.

    We will not process any special (or sensitive) categories of personal data or personal data relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent.

  • Any other purposes for which we wish to use your personal data that are not listed above, or any other changes we propose to make to the existing purposes, will be notified to you using the contact details we hold for you.

9. If you fail to provide your personal data

Where we are required by law to collect your personal data, or we need to collect your personal data under the terms of a contract we have with you, and you fail to provide that personal data when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal data we need in order to provide the Services you have requested from us or to process an application for employment with us. In this case, we may have to cancel your application or the provision of the relevant Services to you, in which case we will notify you.

10. How we obtain your consent

Where our use of your personal data requires consent, you can provide such consent:

  • at the time we collect your personal data following the instructions provided; or
  • by informing us using the contact details set out in the “How to Contact Us ” section above.

Where we obtain your consent, you have the right to opt-out of our use of your personal data at any time using the contact details set out in the “How to Contact Us” section above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email. If you withdraw your consent, our use of your personal data before you withdraw is still lawful.

11. Third party links and services

Our Site may contain links to third party websites and services.

When you use a link to go from our Site to another website (even if you don’t leave our Site) or you request a service from a third party, this Privacy Notice shall not apply to the processing of your personal data carried out by the relevant third party provider. For more information click here.

Your browsing and interactions on any other websites, or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies.

We do not monitor, control or endorse the privacy practices of any third parties.

We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

This Privacy Notice applies solely to personal data processed by us through your use of our Site, your receipt of our Services and/or in connection with our business operations. It does not apply to the processing of your personal data by these third party websites and third party service providers.

12. Sharing personal data

We will only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data shared, including to ensure where applicable that the third parties do not use the personal data for their own purposes, and to comply with our data protection, confidentiality and security standards and obligations. For more information click here.

When processing your personal data, we may need to share it with third parties (including other entities within our group of companies) as follows:

Group Companies for recruitment purposes: Your information that you provide to us through the “Career Page” may be shared internally with the Sosei Heptares Group Companies for the purposes of the recruitment exercise. This includes members of the relevant Group Company HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. Whenever we share your personal data with third parties or with other Sosei Heptares Group Companies, we disclose only the personal information that is necessary for the respective purposes.

Third party organisations that provide applications/functionality, data processing or IT services: We share personal data with third parties who support us in providing our Services and help provide, run and manage our internal IT systems. Such third parties may include, for example, providers of information technology, providers of cloud-based software, identity management, website hosting, management and services, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them. We also share your personal data with third party service providers to assist us with insight analytics. These providers are described in our Cookie Policy .

Payment providers and banks: We share personal data with third parties who assist us with the processing of payments and refunds.

Event partners and suppliers: When we run events, we will share your personal data with third party services providers that are assisting us with the operation and administration of that event. If we are running an event in partnership with other organisations, we will share your personal data with such organisations for use in relation to the event.

Third party email marketing and Customer Relationship Management specialists: We share personal data with specialist suppliers who assist us in managing our marketing database and sending out our email marketing communications and membership-related communications.

Suppliers of postal and courier services: We share personal data with suppliers who assist us in sending out our postal marketing communications and other communications.

Partners: We share personal data with our partners, including contract research organisations or laboratories, in the provision of our Services.

Recruitment agencies and related organisations: We share personal data with external recruiters, third party providers that undertake background checks on our behalf and other entities within our group of companies.

Auditors, lawyers, accountants and other professional advisers: We share personal data with professional services firms who advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we may become involved in.

Law enforcement or other government and regulatory agencies and bodies: We share personal data with law enforcement or other government and regulatory agencies, courts or other third parties as required by, and in accordance with, applicable law or regulation.

Sharing with other third parties: Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties in order to operate our Site, offices and operations facilities and to provide our Services.

13. Transfers of your personal data

When you submit personal data to us, whether through your interactions with our Site, office, branch offices and operations facilities you acknowledge that your personal data may be transferred to a country outside the UK and the European Economic Area (“EEA”) (such as Japan) where it will be stored and processed by us and relevant third parties for the purposes set out in this Privacy Notice (see section 12).

Some countries do not have the same data protection laws as the UK and the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data. However, when transferring your personal data to countries outside of the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data.

We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws. For more information click here.

When transferring your personal data to countries outside the UK or the EEA, we will ensure that, where required by applicable law, at least one of the following safeguards is implemented:

Adequacy decisions: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and the UK Government. For further details, see the European Commission and ICO websites

Model clauses: Where we use certain service providers, we may use specific clauses approved by the European Commission and UK Government which give personal data the same protection it has in Europe and the UK. For further details, see the European Commission and ICO websites.

Please contact us using the contact details set out in the “How to Contact Us” section above if you would like further information on the specific mechanisms used by us when transferring your personal data to countries outside the UK or the EEA.

14. How long we keep your personal data

We will not retain your personal data any longer than necessary to fulfil the purposes the data was collected for or to fulfil our legal obligations, in line with our Document Retention Policy. The retention periods may differ depending on which group entity is data controller, in line with local requirements.

If any personal data is only useful for a short period (e.g. for a specific event or marketing campaign or in relation to recruitment), we will not retain it for longer than the period for which it is used by us and as required by law or to defend legal claims. If we receive your application through our “Career Page” and the application is unsuccessful, we will hold your data on file for up to 12 months after the end of the relevant recruitment process. At the end of that period, or on your request, your data will be deleted or destroyed. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

If you have opted out of receiving marketing communications from us, we will need to retain certain personal data on a suppression list indefinitely so that we know not to send you further marketing communications in the future.

If you wish to receive further specific information on the applicable retention periods, please reach out to us at GDPR@SoseiHeptares.com.

15. Confidentiality and security of your personal data

We are committed to keeping the personal data you provide to us secure and we will take reasonable precautions to protect your personal data from loss, misuse or alteration. For more information click here.

We have implemented information security policies, rules and technical measures to protect the personal data that we have under our control from:
  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification or destruction; and
  • unlawful destruction or accidental loss.

All our employees and data processors (i.e. those who process your personal data on our behalf, for the purposes listed above) who have access to and are associated with the processing of personal data are obliged to respect the confidentiality of the personal data of all users of our Site and our Services.

Whilst we will take reasonable precautions to ensure the security of your personal data, we cannot guarantee the security of information transmitted over the Internet.

16. Personal data of children

We do not specifically target our Site or our Services at children. However, due to the nature of our organisation and the Services we provide, we may from time to time collect and process personal data relating to individuals under the age of 18. Where we do so, we will comply with all applicable laws and regulations relating to the processing of personal data of minors. However, if you are under the age of 16, you must ask a parent or guardian for permission before using our Site and our products and services. If you are a parent or guardian, please supervise your child’s use of our Site and our Services.

17. How to access your information and your other rights

You have the following rights in relation to the personal data we hold about you. If you would like to exercise any of these rights, please contact us using the confidential email GDPR@soseiheptares.com. Please note that some of these rights are subject to certain exemptions and limitations.

  • Your right of access. For more information click here.
    If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may charge a reasonable fee for producing those additional copies.
  • Your right to rectification. For more information click here.
    If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal data with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal data with so that you can contact them directly.
  • Your right to erasure. For more information click here.
    You can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or where you withdraw your consent (where applicable). If we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
  • Your right to restrict processing. For more information click here.
    You can ask us to ‘block’ or suppress the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal data or you object to us processing it for a particular purpose. This may not mean that we will stop storing your personal data but, where we do keep it, we will tell you if we remove any restriction that we have placed on your personal data to stop us processing it further. If we’ve shared your personal data with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal data with so that you can contact them directly.
  • Your right to data portability. For more information click here.
    You have the right, in certain circumstances, to obtain personal data you have provided to us (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.
  • Your right to object. For more information click here.
    You can ask us to stop processing your personal data, and we will do so, if we are:
    • relying on our own or someone else’s legitimate interest to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or
    • processing your personal data for the purposes of direct marketing.
  • Your rights in relation to automated decision-making and profiling. For more information click here.
    You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for the entering into, or the performance of, a contract between you and us.
  • Your right to withdraw consent. For more information click here.
    If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time. You can exercise your right of withdrawal by contacting us using our contact details in the “How to Contact Us ” section above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email.
  • Your right to lodge a complaint with the supervisory authority. For more information click here.
    If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, please contact us using the contact details provided in the “How to Contact Us ” section above. You can also report any issues or concerns to a national supervisory authority in the Member State of your residence or the place of the alleged infringement.

    You can find a list of contact details for all EU supervisory authorities at the European Commission website. The UK supervisory authority is the Information Commissioner's Office (ICO). As we are incorporated in the UK, our regulatory authority is the ICO

    In Ireland the relevant regulatory authority is the Data Protection Commission and in Japan the relevant regulatory authority is the Personal Information Protection Commission.

18. Changes to this privacy notice

We may make changes to this Privacy Notice from time to time. For more information click here.

To ensure that you are always aware of how we use your personal data, we will update this Privacy Notice to reflect any changes or proposed changes to our use of your personal data. We may also make changes to comply with changes in applicable law or regulatory requirements.

We will bring any significant changes to your attention by updating this information and making it available on our website. In addition, we will examine whether in individual cases there is an obligation to provide other notification in the event of any changes to this information and in this case, we will comply with the existing notification obligation. However, we encourage you to review this Privacy Notice periodically to be informed of how we use your personal data.