Effective 22 June 2022
Wave Life Sciences Ltd. and its affiliated companies, including specifically Wave Life Sciences USA, Inc., Wave Life Sciences UK Limited, Wave Life Sciences Ireland Limited, and Wave Life Sciences Japan, Inc., (collectively, “Wave,” “we,” “us,” and “our”) are committed to respecting your privacy. This Privacy Notice explains how any Personal Information we collect or receive will be handled.
This Privacy Notice describes the Personal Information we collect, what, why, and how that Personal Information is processed, and the rights and choices you have in relation to your Personal Information.
For the purpose of this Privacy Notice, Wave will often reference the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”) for purposes of the collection and processing of Personal Information in the European Union (“EU”). This reference is intended to include the UK GDPR and UK Data Protection Act for purposes of the collection and processing of Personal Information in the United Kingdom (“UK”).
As Wave is a global organization, the Personal Information we collect, and process may come from a variety of countries, states, or municipalities. Each location may have its own specific local privacy laws or regulations. For example, to the extent it aligns when it enters into force in September 2023, the Swiss New Act called the Federal Data Protection Act (FDPA) will also be incorporated herein.
Please note that any companies in China wishing to do business with a Wave entity must comply with the Personal Information Protection Law (PIPL) and should not send any personal information to Wave unless it is necessary to enter into or perform a contract to which the individual is a party. Wave does not wish to receive any Personal Information from individuals residing in China. Contractual performance is the only basis by which Wave processes Personal Information, and it does so in line with the same provisions laid out in this Privacy Notice.
While there may be slightly different or analogous terms used in each country where Personal Information is collected and/or processed, for the purpose of this Privacy Notice, Wave will use the general terms found in the GDPR, such as Data Controller and Data Processor, for ease of review.
A Data Controller is an organisation that is responsible for making decisions and setting out the rules for how your information is collected and used by itself and other organisations it works with when processing your personal information.
Wave is the Data Controller of the personal information provided to us by you (your Personal Information).
A Data Processor is an organisation that receives your personal information from a Data Controller, but it must follow the rules given to it by the Data Controller.
Our partners, contractors and consultants may act as a controller or processor depending upon the specific relationship, we have with them. Through contractual agreements, we ensure the privacy, security, and confidentiality of your personal information.
At Wave, we recognize the importance of, and are fully committed to protecting the privacy of your Personal Information.
Wave’s Data Protection Officer (“DPO”) can be contacted at: [email protected]
What is Personal Information?
Personal Information is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
‘Personal Information’ may be defined differently in other countries or regions. The provisions here outline the general practices for processing of Personal Information by Wave.
Personal Information is any information about you that identifies you or that could reasonably be used to identify you. Personal information covers obvious information such as your name and contact details, but it may also cover less obvious information.
Personal Information collected online can come through Wave’s websites, by email, and through other digital services and products Wave may operate. Such Personal Information can include, for example, the Internet Protocol (“IP”) address of your computer, which may reveal your approximate location. Wave uses the Personal Information collected for various purposes which may include but are not limited to the following: to respond to your inquiries and otherwise communicate with you about our products and services; to provide and deliver services you request (webinars, presentations, and publications); to offer and provide information; to staff, facilitate, conduct and manage clinical trial; and comply with regulatory monitoring and reporting obligations.
Personal Information collected by Wave through special programs, such as in connection with our sponsored clinical trials, depends on the context of your interaction with us. For additional information on what Wave collects in connection with our sponsored clinical trials please see “Additional Information.”
What Personal Information Do We Collect?
The Personal Information we collect depends on the nature of your interaction with Wave. In general, the types of Personal Information we may collect include but are not limited to the following:
- Postal and/or email address (personal and/or business)
- Phone number
- Date of birth or partial date of birth
- Job title, profession
- Correspondence, and other personal information relevant to the formation and execution of a contract between you and Wave
- Adverse events or Complaints and correspondence
- Data breach notifications and correspondence, if you are acting as a data controller, joint controller, or data processor
- Information you provide us when you fill in forms or attend events
- Information about the promotional, scientific and medical activities/interactions you have with us
- Information collected from you during the course of a clinical trial
Based on the nature of the interaction, Wave may also collect what is referred to as “sensitive” Personal Information. This type of Personal Information is treated with heightened protection due to the impact disclosure could have on a person’s livelihood, quality of life, and ability to participate in daily activities. For example, with our sponsored clinical trials, Wave would be aware of the disease state of the participants. In general, Wave does not normally collect sensitive PI outside of what is needed for our clinical trials.
What is Sensitive Personal Information?
The GDPR defines specific types of Personal Information as “Sensitive Personal Information,” which mean any information relating to an individual’s:
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health related data
- Genetic data
- Biometric data
- Sex life
- Sexual orientation
The Legal Bases for Processing Your Personal Information
Your Personal Information is obtained for the purposes of the interaction with Wave, and is necessary under one or more of the following legal bases:
- Contract: We need to process personal data to fulfil our obligations under a contract, or enter into a contract, with the data subject. You may not be able to opt-out of this use, or your choice to opt-out may impact our ability to perform a contractual obligation otherwise owed to you.
- Legal obligation and Protection of Individuals: We need to process personal data to comply with applicable laws, such as EU law or the national law of an EU country, , as well as to protect you and other individuals from certain harms.
- Vital Interests: Where required for vital interests of any individual
- Compliance: The processing is necessary for our compliance with a statutory or legal obligation
- Legitimate Interest: In certain circumstances the processing information is necessary for Wave’s or a third party’s legitimate interest to process your personal information, consistent with your rights and appropriate to the context, including as necessary:
- to develop, administer and support our products and services;
- to operate, evaluate and improve our business;
- to facilitate and manage clinical trials and other patient advocacy and engagement programs;
- to promote scholarly research;
- for drug safety and risk management purposes;
- to conduct business relationships and operations;
- to support our recruitment activities;
- to facilitate a sale of assets or merger or acquisition; or
- as necessary to protect against criminal offenses, and to maintain a safe workplace for staff.
In these situations, we would take into account and balance your rights with our interests.
Why We Collect Your Personal Information?
Under the GDPR, or other applicable privacy laws, a legal basis for collecting and using personal information should exist (for a list of these bases see The Legal Bases for Processing Your Personal Information). The legal basis may be because the data is necessary for our performance of a contract with you or one of our clients, because you have consented to our use of your personal information, because it is in our legitimate business interests to use it, or for another legal basis.
- Conduct our business operations: responding to questions and comments, presenting at conferences and authoring publications, managing our collaboration and payments, managing data where international or business travel is required for education or consultancy, advising on activities involving HCPs, Health
- Communications in the context of business operations: communications with the individuals, entities, and institutions in the context of the business activity.
- Conduct security and fraud detection and prevention: to ensure security and confidentiality of your data, ensuring a safe environment at our facilities or networks.
- Any other purpose that is relevant in the relationship between Wave and you.
We will process information for further compatible purposes, where lawful to do so (such as for archiving, scientific or market research purposes) or when legally obliged to do so (such as reporting information for Wave’s risk management and drug safety obligations).
How Do We Collect Your Personal Information?
You provide it to us when you:
- Use our website;
- Provide it to us directly (email, phone, conversation);
- Participate in a Wave sponsored clinical trial or other Wave sponsored special program; or
- Through your doctors or healthcare providers, who provide it to us under your explicit and unambiguous consent via pseudonymization.
What is Pseudonymization?
Pseudonymization is a safeguard, where Personal Information or any information which could be used to identify an individual, is replaced with a pseudonym, or, in other words, a code which does not allow the individual to be directly identified. Pseudonymization makes it almost impossible to identify the Personal Information without the necessary key. A “key” is the link between the pseudonymized or coded information and the identifiable Personal Information. The sender retains the key, to help prevent reidentification of pseudonymized information or data.
What Do We Do with Your Personal Information?
Your personal information is processed by us or by one or more organisations acting on our behalf.
We use appropriate technical and organisational measures to protect your Personal Information. When handling the information of HCPs, we take reasonable steps to protect it from loss, misuse, unauthorised access, disclosure, alteration, or destruction.
We may store or transfer some or all of your Personal Information to countries that are not part of the European Union (including the EEA Member States Norway, Iceland, and Liechtenstein). These are known as “third countries” and may not have data protection laws that are as strong as those in the EU. This means that we will take additional steps in order to ensure that your personal information is treated just as safely and securely as it would be within the EU and under the GDPR.
The confidentiality, privacy and security of your personal information is essential to us, and to protect your data, we take a number of important measures, including the following:
- We obtain guarantees from organisations we use to process your personal information; we check that safeguards are in place, that include technical and organizational security of the processing for example storage, transfers
- Where we process your information, we ensure that:
- All personal information is stored on secure databases with adequate protection and backup capabilities. We may use third-party providers for storage and have data protection agreements with them.
- Secure databases are accessed via our personnel or our third-party providers using authorised secure access employing usernames, passwords, and variable privilege rights.
- Where paper records are created or obtained, we ensure that they are kept secure, and not accessed by unauthorised individuals.
If any of your personal information is required by a third party, we will take steps to ensure that your personal information is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.
Where is Your Personal Information Stored?
We may store in or transfer to some or all your personal information to countries that are not part of the EU. These countries may not have data protection laws that are as strong as those in the EU. This means that we will take additional steps to ensure that your personal information is treated just as safely and securely as it would be within the EU.
Do We Share Your Personal Information?
We disclose individual information where this is reasonably required to pursue our legitimate business objectives and as required by law. Information will be disclosed only in accordance with applicable laws, and appropriate safeguards will be established, where possible, to protect your information. We may disclose information within Wave and our worldwide affiliates.
In order to conduct our business, we may also disclose information to third parties such as public/regulatory authorities/governmental bodies (government, including social and benefits departments), third parties that provide services to us (such as conducting audits, IT services, assisting in our clinical trials and studies or health care compliance activities), business partners and collaborators (such as external scientists).
If Wave or substantially all of our assets are acquired by a third party, personal information held by us about individuals will be included as transferred assets.
We may also disclose information to enforce any agreements we have with you or to protect our rights or the rights, property or safety of our employees, patients or others (e.g., visitors to Wave premises).
How Long Will We Keep Your Personal Information?
We will not keep your personal information for any longer than is necessary consistent with the reason(s) for which it was first collected.
What are Your Rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal information. This Privacy Notice should tell you everything you need to know.
- The right to access the personal information we hold about you.
- The right to have your personal information rectified if any of your personal information held by us is inaccurate or incomplete.
- The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your personal information that we have.
- The right to restrict (i.e., prevent) the processing of your personal information.
- The right to object to us using your personal information for a particular purpose or purposes.
- The right to data portability. This means that, if you have provided personal information to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal information to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling. We do not use your personal information in this way.
- The right to withdraw your consent at any time where we rely on your consent to use your personal information.
If you have a complaint, we would like to have the opportunity to address it first, this does not stop you from making a complaint to the Data Protection Supervisory Authority.
Further information about your rights can also be obtained from your national Data Protection Supervisory Authority or the Supervisory Authority in the country in the EU where Wave’s or the Data Protection Officer are based. A list can be found here: https://digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities.
We may refuse to comply with your rights where the rights of other persons would be violated, where any other legal exemptions may apply, where your request is not legitimate or applicable, or where it is not in our legitimate interests to the extent allowed by the data protection laws applicable in the EU and your country. If we refuse to comply, we will explain to you our reasons for doing so.
We would encourage you to exhaust our complaints processes, however if you still feel that your personal information has not been handled appropriately according to the law, you can contact a Supervisory Authority and file a complaint with them.
How Can You Exercise Your Rights?
If you want to know what personal information, we have about you, you can ask us for details of that personal information and for a copy of it (if any such personal information is held). This is known as a “subject access request”.
All subject access and other rights requests should be made in writing and sent to the Data Protection Officer at [email protected]. Click here to submit a form to make your subject access request.
There is not normally any charge for a subject access and other rights requests. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will endeavor to respond to your subject access request within one month of receiving it. In some cases, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal information protection. Modifications will be posted on Wave’s website, so please check back.
If there are any changes to the purposes for which we have obtained your personal information, or the legal basis used, we will contact you. The changes shall be explained to you, and your agreement or disagreement obtained.
If you are a (i) Patient involved in a Wave sponsored clinical trial; (ii) a Healthcare Professional involved in a Wave sponsored clinical trial; or (iii) a Partner, Contractor or Consultant involved in a Wave sponsored clinical trial, click one of the links below to learn more about Data Privacy.
For additional information which applies specifically to Patients involved in Wave sponsored Clinical Trials see Additional Information for Patients Involved in a Wave Sponsored Clinical Trial
For additional information which applies specifically to Healthcare Professionals involved in Wave sponsored Clinical Trials see Additional Information for Healthcare Professionals Involved in a Wave Sponsored Clinical Trial
For additional information which applies specifically to Partners, Contractors, and Consultants involved in Wave sponsored Clinical Trials see Additional Information for Partners, Contractors, and Consultants Involved in a Wave Sponsored Clinical Trial