Last Updated: 12AUG2022
1.0 Introduction and Scope of Privacy Notice
Dicerna Pharmaceuticals, Inc. (“Dicerna”, “we”, “our”, “us”) knows that you care how information about you is used and shared, and we appreciate your trust that we will respect your privacy, and do so carefully and sensibly.
This Privacy Notice informs you how and why we use your Personal Data when you visit our PHYOX study website (“Website”) and informs you of your privacy rights in relation to your Personal Data. For purposes of this Privacy Notice, “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
In particular, this Privacy Notice applies to Personal Data collected about you via the Website including, through forms on the Website and electronic correspondence between you and the Website, and where you are directed to the Website through advertising on social media pages.
This Privacy Notice does not apply to Personal Data collected:
- by us (or our vendors), offline or through any other means including, should you enroll in the PHYOX study where we will provide you with a further privacy notice addressing the processing of your Personal Data in the context of the PHYOX study;
- through any of our other websites; or
- by any third party, including through any application or content (including advertising) that may link to or be available from the Website.
2.0 Contact details
|Controller of your Personal Data:||Dicerna Pharmaceuticals, Inc.
75 Hayden Avenue
Lexington, MA 02421 USA
|Dicerna’s European Data Protection Officer:||
Address: The DPO Ltd, Capital Tower, Cardiff, CF10 3AZ, United Kingdom
Email Address: email@example.com
|Dicerna’s EU Data Protection Representative:||Dicerna EU Limited
Suite 1 3rd Floor
11-12 St. James Square
London, United Kingdom SW1Y 4LB
|Dicerna’s UK Data Protection Representative:||Dicerna Ireland Limited
10 Earlsfort Terrace
Dublin, Ireland D02 T38O
If you have any questions about this Privacy Notice, including any requests to exercise your privacy rights (as set out in Section 12.0 below) please in the first instance contact our vendor, Elligo Health Research: firstname.lastname@example.org or by phone at 512-580-4633 or at: Elligo Health Research, Attn: Privacy Officer/DPO, 11612 Bee Cave Road, Bldg. 1 Ste. 150, Austin, TX 78738.
3.0 Changes to the Privacy Notice and your duty to inform us of changes
We reserve the right to modify this Privacy Notice at any time, so please review it frequently. If we make changes that materially affect our uses of Personal Data or your privacy rights, we will announce the changes on our Website and/or, if appropriate, by email.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
4.0 The Personal Data we collect about you
We may collect, use, store, transfer and otherwise process different categories of Personal Data about you as set out below. However, your name and other directly identifying information including, your contact details will not be accessed by Dicerna. Instead, you will only be identified by a unique number (a code). Only the study research site and authorized personnel will be able to connect this code with your name.
- Personal Identifier Data includes full name, website username and password, and, internal protocol (IP) address.
- Contact Data includes post / zip code, email address and telephone numbers.
- Demographic Data includes age, date of birth, and gender.
- Internet or Other Electronic Activity Data includes your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website, and how you use our Website.
- Special Categories of Data: medical records and other health data.
The Website has been active since [July 2019]. Prior to that date, we did not collect any Personal Data through the Website.
5.0 If you fail to provide Personal Data
There are certain categories of Personal Data that we need to collect by law in order to consider you as a participant in the PHYOX study. Where we need to collect Personal Data by law and you fail to provide that Personal Data when requested, it may mean you cannot be considered for and/or take part in the PHYOX study.
6.0 We use different methods to collect Personal Data from and about you including through:
Direct interactions. You may give us your Personal Identifier Data, Contact Data, Demographic Data, and Special Categories of Data when you:
- fill out the pre-screening form on our Website i.e., to be considered for potential study opportunities. This Personal Data is secured and stored in a portal hosted by our vendor, Elligo Health Research. This Personal Data is securely accessed by study research sites so that they can follow up with potential participants to further determine interests and eligibility for this study;
- create an account on our Website;
- request information from us; and/or
- otherwise interact with the Website.
Automated interactions. As you interact with our Website, we may automatically collect Internet and Other Electronic Activity Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, and other similar technologies. Please see our Cookies Policy for further information.
Third parties. We may receive categories of Personal Data about you from various third parties as set out below:
- Internet and Other Electronic Activity Data from analytics providers – the privacy practices of these third-party companies are subject to their own privacy policies. Please read these policies at: http://www.google.com/
intl/en/ policies/ privacy/.
7.0 Purposes for which we will use your Personal Data
We have set out below, a description of the ways we use your Personal Data, and which of the legal bases we rely on to do so (i.e., where you are located in the EEA or the UK).
|Purpose/Activity||Category of Personal Data||Legal basis for processing (where you are located in the EEA or the UK)|
|To communicate with you, to respond to your questions and/or to provide you with information you requested.||(a) Personal Identifier Data
(b) Contact Data
(c) Demographic Data
|Necessary for our legitimate interests in providing the requested information and/or information about our processing of your Personal Data in an effective and efficient manner.|
|To collect and store Personal Data you have submitted via the pre-screening form for access by study research sites.||(a) Personal Identifier Data
(b) Contact Data
(c) Demographic Data
(d) Special Categories of Data
|Explicit Consent – which you can withdraw at any time|
|To administer and protect our business and our Website (including troubleshooting, data analytics, testing, system maintenance, support, reporting and hosting of data)||(a) Personal Identifier
(c) Demographic Data
(d) Internet and Other Electronic Activity Data
Necessary for our legitimate interests for running our business, the provision of administration and IT services and network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise.
Necessary to comply with a legal obligation.
|Carrying out audits and investigations, and preparing for and acting in relation to enquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation.||(a) Personal Identifier
(c) Demographic Data
(d) Internet and Other Electronic Activity Data
Necessary for our legitimate interests to manage our business and to ensure that all investigations and proceedings are managed efficiently and effectively.
Necessary to comply with a legal obligation.
Individuals in the EEA/UK: Your Right to Object – Please note that you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfill this request in all instances.
8.0 Disclosures of your Personal Data
We may share your Personal Data with the parties set out below for the purposes identified above.
- External Third Parties: (i) service providers such as, Elligo Health Research who provide IT and hosting services in respect of this Website and clinical study recruitment services; (ii) study research sites for study and trial qualification purposes; (iii) professional advisors including, lawyers, auditors and insurers; and (iv) third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets
- Governmental Authorities: regulators and other authorities who require reporting of processing activities in certain circumstances.
9.0 International transfers
We are located in the US and Personal Data collected via the Website is hosted by our vendor, Elligo Health Research in the US. As such, if you are located outside of the US, your Personal Data collected via the Website will be transferred to the US at all times in accordance with applicable data protection laws.
10.0 Data security
We are committed to protecting the security and privacy of your Personal Data. We maintain reasonable and appropriate technical, organizational, administrative and physical security procedures and practices designed to protect the security, confidentiality, and integrity of Personal Data. While we are committed to safeguarding your Personal Data through our information security program, even the most stringent security program may not always not be able to prevent all security breaches.
11.0 Data retention
We will only retain your Personal Data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
12.0 Your privacy rights
Under certain circumstances and depending upon the jurisdiction, country or state in which you are located, you may have rights under applicable data protection laws to:
- request access to your Personal Data;
- request correction of your Personal Data;
- request erasure of your Personal Data;
- object to processing of your Personal Data;
- request the processing your Personal Data is restricted;
- request the transfer of your Personal Data to a third party; and
- withdraw consent to the processing of your Personal Data.
If you wish to exercise any of the rights set out above, please in the first instance contact our vendor, Elligo Health Research at email@example.com or by phone at 512-580-4633 or at: Elligo Health Research, Attn: Privacy Officer/DPO, 11612 Bee Cave Road, Bldg. 1, Ste. 150 Austin, TX 78738. If you are located in the EEA/UK you also have the right to make a complaint to the competent supervisory authority.
13.0 Additional disclosures for California residents
The California Consumer Privacy Act of 2018 (the “CCPA”) grants California residents certain rights with respect to their Personal Data, including, as described below, the right to know about, and delete, their Personal Data. These rights are subject to certain limitations, however, such as that they do not all apply to certain types of Personal Data, including information collected as part of a clinical trials that are subject to the U.S. Common Rule or other specific clinical practice guidelines that may apply to our work. Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation. Please click [here] for information about these rights.
Right to request disclosure of information we collect or share about you. You can submit a request to us for the following data regarding the Personal Data we have collected about you in the 12 months prior to our receipt of your request (a “request to know”):
- The categories of Personal Data we have collected.
- The categories of sources from which we collected the Personal Data.
- The business or commercial purposes for which we collected the Personal Data.
- The categories of third parties with which we shared the Personal Data.
- The categories of Personal Data we disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Data.
- The specific pieces of Personal Data we collected.
Right to request the deletion of Personal Data we have collected from you. Upon request, we will delete the Personal Data we have collected about you, except for situations where specific information is necessary for us to provide you with a product or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law.
The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
How can you make a request to exercise your rights? To submit requests to know or delete, please contact our vendor, Elligo Health Research at 512-580-4633 or firstname.lastname@example.org. They will process requests on our behalf.
How we will handle a request to exercise your rights. For requests to know or delete, we will first acknowledge receipt of the request within 10 business days of receipt of your request. We will provide a substantive response to your request within 45 days from receipt of your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we’ll let you know.
When you make a request to know or delete your Personal Data, we will take steps to verify your identity. These steps may include asking you for Personal Data, such as your name, address, or other information we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.
You are also entitled to submit a request for Personal Data that could be associated with a household as defined in the CCPA. To submit a request to know or delete household Personal Data, such requests must be jointly made by each member of the household, and we will individually verify all of the members of the household using the verification criteria explained above, and separately verify that each household member making the request currently resides in the household. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.
You may also designate an authorized agent to submit requests on your behalf. If you do so, you will be required to verify your identity by providing us with certain Personal Data as described above. Additionally, we will also require that you provide the agent with written and signed permission to act on your behalf, and we will separately confirm with you that you provided the agent with permission to submit the request. We will deny the request if the agent is unable to meet submit proof to us that you have authorized them to act on your behalf or if any of the above verification criteria are not met.
Shine the Light
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California residents asking about the business’ practices related to the disclosure of certain types of Personal Data to third parties for the third parties’ direct marketing purposes. We do not disclose Personal Data to such entities, for such purposes.
Do Not Track
“Do Not Track” signals are options available on your browser to tell operators of websites that you do not wish to have your online activity tracked. We do not engage in the collection of personally identifiable information about your online activities over time and across third-party websites or online services, nor do we allow other parties to do so through our Website. Accordingly, we do not process or comply with automated browser signals regarding tracking mechanisms, which may include “do not track” instructions.
14.0 Children’s Personal Data
We will not knowingly collect, use or disclose Personal Data from minors under the age of 18, without obtaining prior consent from a person with parental responsibility through direct off-line contact. We do not sell the Personal Data of minors under age 16.
15.0 Third party websites
Our Website may also contain links to other websites that we do not operate and for which this Privacy Notice does not apply. We encourage you to read the privacy policies of all of the destination websites you visit.
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at 512-580-4633 or email@example.com.
17.0 Contact Information
If you have any questions about this Privacy Notice or our data protection policies, please contact us at firstname.lastname@example.org. To exercise your data privacy rights as detailed in Sections 12 and 13 above (as applicable), please in the first instance contact our vendor Elligo Health Research at email@example.com.