Privacy Notice for Clinical Development Program Awareness Website – SHINE
Last Updated: November 2021
1.0 Introduction and Scope of Privacy Notice
Dicerna Pharmaceuticals, Inc. (“Dicerna”, “we”, “our”, “us”) knows that you care how information about you is used and shared, and we appreciate your trust that we will respect your privacy, and do so carefully and sensibly.
This Privacy Notice informs you how and why we use your Personal Data when you visit our SHINE trials website (“Website”) and informs you of your privacy rights in relation to your Personal Data. For purposes of this Privacy Notice, “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
In particular, this Privacy Notice applies to Personal Data collected about you via the Website including, through forms on the Website, electronic correspondence between you and the Website, and where you are directed to the Website through advertising on social media pages.
This Privacy Notice does not apply to Personal Data collected:
- by us (or our vendors), offline or through any other means including, should you enroll in the Estrella study where we will provide you with a further privacy notice addressing the processing of your Personal Data in the context of the Estrella study;
- through any of our other websites; or
- by any third party, including through any application or content (including advertising) that may link to or be available from the Website.
By accessing the Website, you agree to our collection and use of Personal Data as described in this Privacy Notice and our Terms of Use. However, this does not equate to consent for the processing of your Personal Data for purposes of data protection laws in the European Economic Area (“EEA”) or the United Kingdom.
2.0 Contact details
Controller of your Personal Data: | Dicerna Pharmaceuticals, Inc. |
Dicerna’s European Data Protection Officer: | Address: The DPO Ltd, Capital Tower, Cardiff, CF10 3AZ, United Kingdom Email Address: sar@thedpo.co.uk |
Dicerna’s UK Data Protection Representative: | Dicerna EU Limited Suite 1 3rd Floor 11-12 St. James Square London, United Kingdom SW1Y 4LB |
Dicerna’s EU Data Protection Representative: | Dicerna Ireland Limited 10 Earlsfort Terrace Dublin, Ireland D02 T380 |
If you have any questions about this Privacy Notice, including any requests to exercise your privacy rights (as set out in Section 12.0 below) please in the first instance contact our data protection officer at sar@thedpo.co.uk.
3.0 Changes to the Privacy Notice and your duty to inform us of changes
We reserve the right to modify this Privacy Notice at any time, so please review it frequently. If we make changes that materially affect our uses of Personal Data or your privacy rights, we will announce the changes on our Website and/or, if appropriate, by email.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
4.0 The Personal Data we collect about you
We may collect, use, store, transfer and otherwise process different categories of Personal Data about you as set out below. However, your name and other directly identifying information including, your contact details will not be accessed by Dicerna. Instead, you will only be identified by a unique number (a code). Only the study research site and authorized personnel will be able to connect this code with your name.
- Personal Identifier Dataincludes full name and internal protocol (IP) address.
- Contact Dataincludes post / zip code, email address and telephone numbers.
- Demographic Data includes age, date of birth, and gender.
- Internet or Other Electronic Activity Dataincludes your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website, and how you use our Website.
- Special Categories of Data: health data.
5.0 If you fail to provide Personal Data
Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services or employee benefits). In this case, we may have to cancel a product or service you have with us but we will notify you promptly if this is the case at the time.
6.0 We use different methods to collect Personal Data from and about you including through:
Direct interactions. You may give us your Personal Identifier Data, Contact Data, Demographic Data, and Special Categories of Data when you:
- request information from us; and/or
- otherwise interact with the Website.
Automated interactions. As you interact with our Website, we may automatically collect Internet and Other Electronic Activity Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, and other similar technologies. Please see our [Cookies Policy] for further information.
Third parties. We may receive categories of Personal Data about you from various third parties as set out below:
- Internet and Other Electronic Activity Data from analytics providers – the privacy practices of these third-party companies are subject to their own privacy policies. Please read these policies at: http://www.google.com/intl/en/policies/privacy/.
7.0 Purposes for which we will use your Personal Data
We have set out below, a description of the ways we use your Personal Data, and which of the legal bases we rely on to do so (i.e., where you are located in the EEA or the UK).
Purpose/Activity | Category of Personal Data | Legal basis for processing (where you are located in the EEA or the UK) |
To communicate with you, to respond to your questions and/or to provide you with information you requested. | (a) Personal Identifier Data (b) Contact Data (c) Demographic Data | Necessary for our legitimate interests in providing the requested information and/or information about our processing of your Personal Data in an effective and efficient manner. |
To administer and protect our business and our Website (including troubleshooting, data analytics, testing, system maintenance, support, reporting and hosting of data) | (a) Personal Identifier (b) Contact (c) Demographic Data (d) Internet and Other Electronic Activity Data | Necessary for our legitimate interests for running our business, the provision of administration and IT services and network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise. Necessary to comply with a legal obligation. |
Carrying out audits and investigations, and preparing for and acting in relation to enquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation. | (a) Personal Identifier (b) Contact (c) Demographic Data (d) Internet and Other Electronic Activity Data | Necessary for our legitimate interests to manage our business and to ensure that all investigations and proceedings are managed efficiently and effectively. Necessary to comply with a legal obligation. |
Individuals in the EEA/UK: Your Right to Object – Please note that you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
8.0 Disclosures of your Personal Data
We may share your Personal Data with the parties set out below for the purposes identified above.
- External Third Parties: (i) service providers who provide IT and hosting services in respect of this Website; (ii) professional advisors including, lawyers, auditors and insurers; and (iii) third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets
- Governmental Authorities: regulators and other authorities who require reporting of processing activities in certain circumstances.
9.0 International transfers
We are located in the US and Personal Data collected via the Website is hosted by our vendor, SmithSolve in the US. As such, if you are located outside of the US, your Personal Data collected via the Website will be transferred to the US at all times in accordance with applicable data protection laws.
10.0 Data security
We are committed to protecting the security and privacy of your Personal Data. We maintain reasonable and appropriate technical, organizational, administrative and physical security procedures and practices designed to protect the security, confidentiality, and integrity of Personal Data. While we are committed to safeguarding your Personal Data through our information security program, even the most stringent security program may not always be able to prevent all security breaches.
11.0 Data retention
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
12.0 Your privacy rights
Under certain circumstances and depending upon the jurisdiction, country or state in which you are located, you may have rights under applicable data protection laws to:
- request access to your Personal Data;
- request correction of your Personal Data;
- request erasure of your Personal Data;
- object to processing of your Personal Data;
- request the processing your Personal Data is restricted;
- request the transfer of your Personal Data to a third party; and
- withdraw consent to the processing of your Personal Data.
If you wish to exercise any of the rights set out above, please in the first instance contact our data protection officer at sar@thedpo.co.uk.
13.0 Additional disclosures for California residents
Shine the Light
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business’ practices related to the disclosure of certain types of Personal Data to third parties for the third parties’ direct marketing purposes. We do not disclose Personal Data to such entities, for such purposes.
Do Not Track
“Do Not Track” signals are options available on your browser to tell operators of websites that you do not wish to have your online activity tracked. We do not engage in the collection of personally identifiable information about your online activities over time and across third-party websites or online services, nor do we allow other parties to do so through our Website. Accordingly, we do not process or comply with automated browser signals regarding tracking mechanisms, which may include “do not track” instructions.
California Consumer Privacy Act
The California Consumer Privacy Act of 2018 (the “CCPA”) grants California residents certain rights with respect to their Personal Data, including, as described below, the right to know about, and delete, their Personal Data. These rights are subject to certain limitations, however, such as that they do not all apply to certain types of Personal Data, including information collected as part of research studies including clinical trials that are subject to the U.S. Common Rule or other specific clinical practice guidelines that may apply to our work. Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation. Please click here for information about CCPA disclosures and rights.
14.0 Children’s Personal Data
We will not knowingly collect, use or disclose Personal Data from minors under the age of 18, without obtaining prior consent from a person with parental responsibility through direct off-line contact.
15.0 Third party websites
The Website displays social media buttons. When you click on any of those buttons, your Personal Data may be transferred to these companies and they may also set cookies or other tracking technologies on your browser. The privacy policies and terms of use of each of those companies govern the collection and use of your Personal Data when you click on their buttons on our Website.
Our Website may also contain links to other websites that we do not operate and for which this Privacy Notice does not apply. We encourage you to read the privacy policies of all of the destination websites you visit.
16.0 Accessibility
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact our data protection officer at sar@thedpo.co.uk.
17.0 Contact information
If you have any questions about this Privacy Notice or our data protection policies, please contact our data protection officer at sar@thedpo.co.uk. To exercise your data privacy rights as detailed in Sections 12 and 13 above (as applicable), please in the first instance contact our data protection officer at sar@thedpo.co.uk.
