Clinical Trial Privacy Notice

Effective Date: February 16, 2024.

1. Introduction and Scope

Akros Pharma Inc. (“Akros”, “we”, “us”, “our”) takes the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (“Notice”) describes how we use the Personal Data we may receive, either directly from the subject or personnel or from third parties, in connection with the clinical trials we sponsor (“Trial” or “Trials”). This Notice is applicable to subjects who are involved in Trials, including patients and healthy subjects, (individually and together, “Subject,” “Subjects”) and personnel involved in overseeing and conducting of our Trials (“Trial Personnel”).

This Notice explains in general terms our commitment to comply with data privacy laws and regulations, including but not limited to the European General Data Protection Regulation (“GDPR”) and the Health Insurance Portability and Accountability Act (“HIPAA”) of the United States.

This Notice does not apply to the Personal Data we collect by other means, such as the Personal Data that we receive directly through our public website. This Notice does not apply to the Personal Data of Akros employees.

Important note: Nothing in this Notice is intended to limit in any way the Trial Subjects’ and Trial Personnel’s statutory rights, including their rights to a remedy or means of enforcement.

2. Controllership

Within the scope of this Notice, Akros acts as a data controller for the Personal Data we collect, use and process. This means that we determine the purposes and means of processing of the Personal Data.

We do not have direct access to Subjects’ uncoded Personal Data, meaning that we are typically unable to directly identify Trial Subjects. The Personal Data is collected by the Trial Personnel assisting us with the Trial, including the contract research organization (CRO), the Trial site (the doctor’s office, clinic, hospital or other healthcare facility where the Trial is being conducted) or other third parties, such as the Subjects’ primary care doctor(s). When any information relating to Trial Subjects is shared with us, it will be key-coded (also known as “pseudonymized”) so that the Subject will not be identified by any direct personal identifier.

There may be other organizations that jointly control processing of the Personal Data in conjunction with us. If the Subject would like to know more about other data controllers that jointly determine the purposes for which we process the Personal Data, and the means by which we do so, they may ask the Trial doctor or the Trial site for further details specific to the Trial they participate in.

3. Basis of Processing

Before, during and after each Trial, we will process the Personal Data for various purposes. In each case, we will rely on an appropriate lawful basis for the Personal Data processing. We will only process sensitive Personal Data (like health and genetic data) when allowed by law.

Subjects:

We process the Personal Data for safety and reliability purposes in order to comply with our legal obligations.

We process the Personal Data for scientific research purposes based on the Subjects’ consent to participate, our legitimate interest in clinical trials and for performing valuable scientific and medical research.

If we process the Personal Data for other purposes after the end of a Trial, we do so based on the Subjects’ consent or our legitimate interest in conducting further research.

Akros will need to process data about the Subject’s health in order for them to participate in a Trial. Health data are considered sensitive Personal Data (also known as a “special category” of the Personal Data) and special rules apply to working with it. When we process special categories of the Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. These reasons include making sure our drugs is safe and effective, and conducting our Trials safely. We also process sensitive Personal Data based on the Subject’s explicit consent.

The specific grounds on which we process the Personal Data, including health data, may vary somewhat from the above in order to comply with the requirements of applicable local laws in jurisdictions where we sponsor Trials. For more information about the legal grounds on which we process the Personal Data, Subjects should refer to the signed informed consent form (ICF) provided to them before beginning their participation in the Trial. If there is any conflict between any provision in this Notice and any provision in the signed ICF in connection with participation in a clinical Trial we sponsor, the ICF shall supersede the conflicting provision in this Notice.

Trial Personnel:

Akros may process the Personal Data of Trial Personnel based on their consent or our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial Personnel recruiting and contracting processes.

We also process the Personal Data because it is necessary for the performance of the contracts between Akros and Trial sites, including by enabling us to communicate with Subjects and other principal investigators about the performance of the relevant Trial.

Akros may process the Personal Data of Trial Personnel in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect the Personal Data from individuals who participate in the conduct of a Trial.

4. How We Receive Personal Data

We receive the Personal Data when:

  • The Subject or Trial Personnel visit our Trial-specific websites or online portals;
  • The Subject provides it to us, the CRO, or a Trial site directly when they complete a pre-screening questionnaire on our Trial-specific websites or visit a Trial site;
  • The Subject or Trial Personnel provides it to us, the CRO or a Trial site when they participate in or assist with a Trial;
  • The Subject’s doctors or healthcare providers provide it to us; or
  • The Subject or Trial Personnel provide it to us to assist in the conduct of a Trial.

5. Categories Of Personal Data

Akros itself will have access to the following types of Personal Data about Trial Subjects:

  • Subject ID number;
  • Gender (if authorized by local laws);
  • Age or year of birth;
  • Laboratory and biological imaging data (including biological samples for the tests);
  • Outcome of the pregnancy, body weight, and height of the Trial Subject’s baby;
  • Health data, such as a medical background, history, and reaction to the Trial drug;
  • Health care information, such as the identity and contact information of Subject’s investigator and Trial site;
  • Genetic information, such as genotype; and
  • Racial or ethnic origins (if authorized by local laws).

Akros may collect and process the following types of Personal Data about Trial Personnel:

  • Name, work contact details (address, telephone number and email address);
  • CV and professional details, including work experience, qualifications, registrations and memberships;
  • Bank account details for payment processing (if the professional is paid by Sponsor or CRO); and
  • Periodic financial disclosure forms if the professional meets the criteria to complete the US Food and Drug Administration (FDA) Form 1572 reporting requirements or equivalent local law requirements.

Akros’ service providers, including the CRO, may have access to and process the following types of Personal Data:

  • Subject ID number;
  • Gender (if authorized by local laws);
  • Age or year of birth;
  • Laboratory and biological imaging data (including biological samples for the tests);
  • Outcome of the pregnancy, body weight and height of the Trial Subjects’ baby;
  • Health data, such as a medical background, history, and reaction to the Trial drug;
  • Health care information, such as the identity and contact information of Subject’s investigator and Trial site;
  • Genetic information, such as genotype; and
  • Racial or ethnic origins (if authorized by local laws).

6. Purposes of Processing

We will process the Personal Data of Subjects and Trial Personnel for the purposes of:

  • The research study as described in the ICF provided to Subjects or the Investigator’s Brochure and other relevant information provided to Trial Personnel, including for the purposes of conducting and overseeing the study;
  • Checking the Subjects’ suitability to take part in the study;
  • Monitoring the treatment;
  • Analyzing the treatment results, and monitoring and reporting adverse events; and
  • Conducting related scientific and medical research.

We also process the Personal Data of Trial Subjects for the specific purposes described in the Trial information provided to Trial Subjects by the Trial site.

We will process Trial Personnel’s Personal Data for the purposes of:

  • Management and administration of the relationship with the healthcare professional, including confirming their qualifications and experience, communicating about the clinical study, complying with financial reporting requirements under applicable local laws in respect of the payments made for the services provided and conducting training where applicable;
  • Conducting Trials; and
  • Complying with applicable laws and regulations.

7. Automated Individual Decision-Making; Randomization

A Subject participating in a Trial will be assigned a Subject ID number. Depending on the Trial the Subject participates in, this number may be used as part of an automatic process* that randomly determines if they will receive the experimental drug or treatment that is being evaluated in the Trial, or if they will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with good clinical practice standards.

*Note that in some Trials the randomization process may not be automatic.

8. Data Retention

Akros will keep the Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law and/or permitted by the Subject’s or Trial Personnel’s signed consent.

We use collected Personal Data to track the effects of the experimental drug using information collected from Trial Subjects. This means that we will need to keep the Personal Data for a long time. However, in order to protect privacy, the information of every Trial Subject is “key-coded” before we enter it into the database and reports. This means that we replace identifying information like name and contact information with a code number.

To the maximum extent permitted by law, once collected Personal Data has been key‑coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. For example, European law requires us to keep the Personal Data that is part of the clinical trial master file for at least twenty-five years after conclusion of the applicable Trial. Other laws may require different retention periods. This includes the identity and health information, and any adverse effects of the drug taken during the Trial.

9. Sharing Personal Data with Third Parties

We will share the Personal Data with service providers who process it on our behalf and who agree to use it only to assist us in conducting our Trials or as required by applicable law.

Our service providers provide:

  • CRO services;
  • Payment processing services;
  • Lab services;
  • Drug safety services;
  • Medical writing services;
  • Project management services; and
  • General consulting services.

We may also share the Personal Data with our current or future corporate affiliates and third party collaborators, for the purpose of enabling their assistance in further research and development of our drug products, and with other third parties involved in the conduct of our clinical Trials, such as clinical sites like hospitals and medical offices, and public government agencies, for the purpose of conducting our Trials and complying with applicable laws and research standards. We may also share the Personal Data with our corporate affiliates, partners, licensees, and third party collaborators, who may continue with further research and development of the drug products. Some of these third parties are data controllers in their own right and may be located in other countries.

10. International Transfers of Personal Data

Some of the above-mentioned third parties may be located outside of the United States; however, we will either obtain explicit consent of the Subject or Trial Personnel, their legal representative, or other appropriate party or legal authority to transfer the Personal Data to such third parties, or we will require those third parties to maintain at least the same level of confidentiality and protection that we maintain for such Personal Data ourselves. We remain liable for protection of the Personal Data that we transfer to our service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.

 

In addition, some of these third parties may be outside of the European Economic Area. In some cases, the European Commission or relevant authorities of the Trial Subjects’ or Trial Personnel’s country may not have determined that the countries’ data protection laws provide a level of protection equivalent to European Union (EU) law. We will only transfer the personal data to third parties in these countries when proper safeguards are in place. Such safeguards include the 2021 European Commission approved standard contractual data protection clauses and appropriate technical, contractual, and organizational supplemental measures to ensure safety of the personal data.

11. Other Disclosure of Personal Data.

We may disclose the Personal Data:

  • To the extent necessary, to regulators, courts or competent authorities, to comply with applicable laws, regulations, and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
  • If, in future, we sell or transfer, or we consider selling or transferring, part or all of our company, business, shares or assets to a third party, we will disclose the Personal Data to such third party (whether actual or potential) in connection with the foregoing events; or
  • In the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose, or assign Personal Data in connection with the foregoing events; and/or
  • If necessary, to our group companies/affiliates for business purposes, as described above.

If the Subject or Trial Personnel wants to receive a list of current recipients of the Personal Data, they can make a request by contacting us at PrivacyContact@akrospharma.com. However, Subjects are encouraged to first contact their Trial doctor or Trial site before contacting us directly.

If we have to disclose the Personal Data to a government or law enforcement authority, we may not be able to ensure that those officials will maintain the privacy and security of the Personal Data.

12. Cookies

A “cookie” is a small file stored on personal use devices that contains information about the device. Cookies may be used on Trial-specific websites. For more information about these cookies, please refer to the cookie policy located in the footer of the website relevant to the specific Trial.

13. Data Integrity & Security

We have put in place technical, administrative and physical measures that are designed to help protect the Personal Data from being accessed, disclosed, altered or destroyed by unauthorized people. These measures include use of measures like key-coding and encryption, where appropriate.

14. Subject’s Rights

If we process Personal Data of Trial Subjects or Trial Personnel (collectively, “data subjects”, each a “data subject”), they will have the right to request access to (or to update or correct) that Personal Data. The data subject may also have the right to ask that we limit processing of their Personal Data, to delete their Personal Data as well as the right to object to processing of the Personal Data. The data subject may also have the right to data portability, which means that they may have the right to ask us to provide a copy of the Personal Data that another company like Akros can process.

If we have received a data subject’s Personal Data based on the Data Privacy Framework, they may also have the right to opt out of having their Personal Data shared with third parties and to revoke consent to our sharing of their Personal Data with third parties. The data subject may also have the right to opt out if their Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or authorized. An individual may request to access their Personal Data, or otherwise correct, amend, or delete their Personal data, or withdraw their consent or limit processing of their Personal Data in line with the Data Privacy Framework Principles by contacting us using the information in the “Contact Us” section below.

If HIPAA applies to processing of the Trial Subjects’ Personal Data, they also have the right to request or receive confidential communications from us by alternative means or at a different address and the right to receive a copy of this Notice.

To submit such requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.

The  data subject may also have the right to lodge a complaint with a data protection regulator in applicable jurisdiction. If the GDPR applies, the data subject can file a complaint with a data protection authority in one or more of the European Union Member States. In particular, the data subject may have the right to file a complaint with the data protection authority in the European Union Member State where they reside, work, or where they believe there has been an infringement of the GDPR. If HIPAA applies, the Trial Subject also has the right to file a complaint with the Secretary of the United States (U.S.) Department of Health and Human Services.

15. Children’s Data

We obtain parental or legal guardian consent before processing Personal Data of children.

16. Data Privacy Frameworks

With respect to the Personal Data processed within the scope of this Notice, Akros complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) as set forth by the U.S. Department of Commerce. If there is any conflict between the terms in this Notice and EU-U.S. DPF Principles, the EU-U.S. DPF Principles shall govern.

 To learn more about the Data Privacy Framework, please visit https://www.dataprivacyframework.gov/.

Dispute Resolution

Where a privacy complaint or dispute relating to the Personal Data received by us in reliance on the Data Privacy Framework cannot be resolved through Akros’ internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to the data subject. To file a complaint with VeraSafe and to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, the required information should be submitted at: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

 Binding Arbitration

If the dispute or complaint related to the Personal Data that we received in regards to the Data Privacy Framework cannot be resolved by us or through the dispute resolution program established by VeraSafe, the data subject may have the right to require that we enter into binding arbitration with the data subject pursuant to the Data Privacy Framework’s Recourse, Enforcement and Liability Principle and Annex I of the Data Privacy Framework.

 U.S. Regulatory Oversight

Akros is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

17. Changes To This Notice

If we change this Notice, we will provide a copy of the revised Notice or update the applicable web page. We will also update the “Effective” date.

18. Contact Us

For questions about this Notice, or our processing of the Personal Data, please contact our Data Protection Officer (details below). However, Subjects are encouraged to first contact their Trial doctor instead of contacting Akros directly. Akros will respond as soon as possible, but no later than 4 weeks after receipt of the question.

19. Data Protection Officer

We have appointed Satoshi Tanabe as our Data Protection Officer (DPO). Please contact him on matters related to our use of the Personal Data. His contact details are:

Satoshi Tanabe
Email: PrivacyContact@akrospharma.com

Note: Subjects are encouraged to first contact their Trial doctor or Trial site before contacting the DPO directly.

20. European Union Representative

We have appointed activeMind.legal Rechtsanwaltsgesellschaft m.b.H as our representative in the EU for the data protection matters. Please contact them via email at PrivacyContact@akrospharma.com or using the following details, but Subjects are encouraged to first contact their Trial doctor or Trial site before doing so:

activeMind.legal Rechtsanwaltsgesellschaft m.b.H

Kurfürstendamm 56

10707 Berlin, Germany

Phone: +49 30 770 19 10 70

21. United Kingdom Representative

We have appointed activeMind.legal UK Ltd. as our representative in the United Kingdom for the data protection matters. Please contact them via email at UK‑privacy@akrospharma.com or using the following details, but Subjects are encouraged to first contact their Trial doctor or Trial site before doing so:

activeMind.legal UK Ltd.
No 1 Royal Exchange
London, EC3V 3DG, UK
Phone: +44 20 89383608