Data Privacy Framework Policy
Data Privacy Framework Policy – Effective Date: 1 January 2024
This Data Privacy Framework Policy (the “Policy”) sets forth the privacy principles that Agios Pharmaceuticals, Inc. and its affiliates (collectively, “Agios”) follow with respect to Personal Data received from the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”).
Agios has certified that it adheres to the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (collectively, “the DPF”) and the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability, as set forth by the US Department of Commerce. To learn more about the DPF program, and to view our certification page, please visit https://www.dataprivacyframework.gov/s/.
This Policy applies to the processing of Personal Data that Agios may receive from or concerning individuals in the EEA, the UK and Switzerland including: (1) clinical research subjects; (2) clinical investigators and staff conducting clinical and medical research; (3) potential clinical trial and post-market patients and their family members/caregivers; (4) adverse event reporters and subjects; (5) consumers; (6) investors and shareholders; (7) medical and healthcare professionals; (8) customers; and (9) vendors, suppliers, contractors, and business partners; and (10) government officials. This Policy does not cover data from which individual persons cannot be identified.
Agios employees who handle Personal Data from the EEA, Switzerland or the UK are required to comply with the principles stated in this Policy.
Information Agios May Collect
Agios may collect personal information such as:
- information collected through Agios’s clinical trials, including data concerning health, race/ethnicity, names, addresses, email addresses, phone numbers, professional licenses, and dates of birth;
- information you may send to Agios, for example, to report a problem or to submit queries, concerns or comments regarding Agios’s products;
- information (such as, your name, email or postal address, telephone number, professional credentials, date of birth, identification number) that you provide by completing forms on Agios’s website or via another system or a vendor Agios uses for such data collection;
- employee personal and financial information;
- information that you may provide to Agios at an industry event or during our business interactions;
- your log-in and password details used for systems managed by Agios or its vendors;
- information you provide when you participate in discussion boards or other social media functions connected with Agios.
Purposes of Processing
Agios processes personal information to facilitate the development and commercialization of its products and for its business purposes. Personal information may be used for purposes of clinical research, business development, marketing and sales, regulatory affairs, procurement, and other Agios business activities.
Agios transfers personal data to third-party processors providing a variety of services, including, but not limited to, clinical trial operations, payroll, systems hosting, and sales and marketing activities.
Agios will not sell or provide your personal information to any third party without notice. When Agios directly collects personal information from EEA and/or Swiss individuals, it, as explained below, advises you about the purposes for which the information is collected and used, and your ability to limit the use and disclosure of such information, and how to contact Agios. Agios provides this notice in clear and conspicuous language, either through this privacy statement or other means such as, informed consent forms, statements on Agios’ website and other disclosures. Purposes for collection and use vary but may include carrying out scientific or medical research, adverse event and product complaint reporting, managing and overseeing vendors/consultants, and communicating about our products and services.
Agios’ primary focus is the discovery and development of medicines. Agios has multiple investigational therapies in clinical development, which involves the collection and processing of personal data, including data related to EEA or Swiss individuals. When you participate in scientific or medical research, your participation is completely voluntary, and requires that you explicitly consent in writing to the scope of the research to be conducted using the information we gather from and about you (“Clinical Trial Information”) which may include, but is not limited to, your medical history, disease state, information regarding biological specimens and tissue samples, and adverse events.
Agios may receive Clinical Trial Information from third parties such as contract research organizations (CROs) and clinical sites. Agios will only use your Clinical Trial Information for the general research purposes for which it was originally collected and for research that is consistent with your original consent, or to which you have subsequently consented. Research data are often uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. As a sponsor of such research, Agios may not receive the key.
Subject to the exceptions outlined in the DPF Supplemental Principle governing Pharmaceutical and Medical Products, and as otherwise permitted by applicable law, Agios does not use or intend to use your personal information for any purpose other than that for which it was originally collected without your consent. Where personal data are transferred to the United States, Agios may use the data for a new scientific research activity if appropriate notice and choice have been provided to you in the first instance.
Agios does not disclose personal information to third parties for purposes that are incompatible with the purposes for which it was originally collected. Agios may occasionally transfer your personal information to third parties who act for or on behalf of Agios, or in connection with the business of Agios, for further processing consistent with purposes for which the data was originally collected. Where disclosure of personal information to a third party is likely or necessary, further notice may be provided to you, where appropriate, at such collection points as to the intended use of the data.
We require that such third parties protect the information and, where appropriate, we will contractually require them to process data transferred only for the purposes expressly authorized by Agios. Please use the contact information listed below to request to limit the use and disclosure of your personal information.
Agios will not transfer personal information from or concerning individuals in the EEA, UK or Switzerland to third parties unless such third parties have entered into a written agreement with Agios requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles of the DPF. Agios will only transfer your data to our agents, resellers or third-party service providers who need the information in order to provide services or to perform activities on behalf of Agios. The types of companies that now or in the future may receive your personal information provide the following categories of services: clinical research, direct marketing assistance, distributors/resellers, data storage, hosting services, and sales support. Agios does not share data with non-agent third parties.
Agios will not disclose your sensitive personal information (e.g., data concerning health, race/ethnicity) to any third party without first obtaining your explicit consent. You may have provided such consent when you agreed to participate in a clinical trial.
Under certain circumstances, Agios may bear liability for onward transfers of personal information of EEA, UK and/or Swiss individuals where the receiving party processes personal information inconsistent with the EU-U.S. and Swiss-U.S. DPF Principles, unless Agios proves that it is not responsible for the event giving rise to the damages. Agios may provide personal data from clinical trials conducted in the EEA and Switzerland to regulators in the United States and other countries for regulatory and supervision purposes.
In some instances, Agios may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Agios acknowledges that EEA, UK and Swiss individuals have the right to access the personal information that it maintains about them. Agios will provide you with reasonable access to information it has about you upon your request. Agios will take reasonable measures to allow for the correction, amendment, or deletion of your information that is shown to be incorrect or inaccurate. You may contact Agios using the contact information below to learn whether or not Agios has your personal data subject to this policy, and to request corrections, amendments or deletion of such data. This right applies only to personal information about you and is subject to other limitations as defined by law, or where the burden or expense of providing access would be disproportionate to the risks related to the privacy of the individual or where the rights of other individuals would be violated. You will need to provide sufficient identifying information.
If you participate in a blinded study (a study during which participants, and often investigators, cannot be given access to information about which treatment you are receiving) you will not be provided access to the data on your treatment during the trial if this restriction has been explained when you entered the trial and the disclosure of such information would jeopardize the integrity of the research effort.
If you withdraw, or are asked to withdraw from a clinical trial of our products, your Clinical Trial Information previously to your withdrawal may still be processed along with other data collected as part of the clinical trial, if this was made clear to you in the notice at the time you consented to participate in the clinical trial.
PRODUCT SAFETY AND EFFICACY MONITORING
The Notice, Choice, Onward Transfer and Access Principles outlined above do not apply to Agios’s product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices to the extent that the adherence to the Principles interferes with compliance with regulatory requirements, including disclosures to agencies, such as the U.S. Food and Drug Administration.
To protect personal information from or concerning individuals in the EEA, UK and Switzerland, Agios has in place reasonable and appropriate technical and operational security measures to prevent unauthorized access, loss, misuse, unauthorized access, disclosure, alteration and destruction of data in its control.
The personal information Agios uses or processes will be necessary for and related to the purpose for which it was obtained or collected. Agios will not use or process the data in a manner that is incompatible with the reason it was collected or authorized to be used. Agios will take reasonable measures to ensure that the data is accurate, complete, current, and reliable for its intended use.
ENFORCEMENT & DISPUTE RESOLUTION
The U.S. Federal Trade Commission has jurisdiction over Agios’s compliance with the DPF.
In compliance with the DPF Principles, Agios commits to resolve complaints about your privacy and Agios’s collection or use of your personal information transferred to the United States pursuant to DPF. EEA, UK and Swiss individuals with DPF inquiries or complaints should first contact Agios at email@example.com or in writing at:
Attention: Legal Department
Agios Pharmaceuticals, Inc.
88 Sidney Street
Cambridge, MA, 02139
Agios has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, the JAMS Data Privacy Framework Services.
Information about how to file a complaint with the JAMS DPF program can be found at https://www.jamsadr.com/DPF-Dispute-Resolution. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration at your own cost for some residual claims not resolved by other redress mechanisms.
Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of the DPF Principles. Agios will provide appropriate notice about such amendments.