In the course of pursuing its mission of developing new therapies, Atara Biotherapeutics, Inc. and its affiliates, (“Atara”) collects and analyzes personal information of various individuals, including patients, vendors and healthcare professionals.
Atara is committed to continuing compliance with the evolving legal and regulatory standards for privacy and data protection applicable in the countries and regions where it conducts its activities.
These Privacy Principles (the “Principles”) represent Atara’s global privacy standards and apply to all Personal Information collected, processed, shared, or used by Atara in the context of its various activities.
2.1 Definition of Personal Information – What is Personal Information?
“Personal Information” means all information that relates to an individual (also called a data subject) or information that can be used to identify a person, both directly (e.g., name or photograph) and indirectly (e.g., a medical insurance number, position in a company, or a study code assigned in a clinical trial). In some countries, Personal Information may also include information such as medical device serial numbers, biological samples, internet protocol addresses, or information relating to a company. It also includes to the extent applicable “personal information” or “personal data” protected under applicable laws and regulations.
2.2 Data Subjects – Who are the Data Subjects?
Atara processes Personal Information from the following data subjects fairly and lawfully:
· Patients’ Personal Information. To enhance privacy, data subjects’ names and other direct identifiers are not attached to records or samples collected by Atara for research purposes. Instead, data subjects are only identified by a code.
· Healthcare Professionals Personal Information. Atara analyzes the professional profiles of doctors and other healthcare providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications or otherwise collaborating with Atara or for marketing purposes. Atara more generally collects and processes healthcare professional’s Personal Information for the purposes of executing specific agreements to assist in clinical or medical research and other aspects of product development.
· Employees’ Personal Information. Atara collects and processes employees’ Personal Information to honor employment agreements. Atara also processes Personal Information of job applicants, or to a certain extent, ex-employees, as appropriate.
· Vendors’ Personal Information. Atara interacts with various third parties and needs to record certain Personal Information of their staff to be able to conduct activities together.
· Web Visitors Data. Atara collects Personal Information about visitors to company websites through the voluntary provision of the information by the data subject, e.g., where a data subject applies via the website for an open position or submits inquiries to the requests medical or scientific information about Atara’s investigational products. Through the use of cookie-based technologies, Atara may collect various data linked to virtual identities allocated to visitors when they access Atara websites. See section 2.5 and Atara Cookies Information for more details.
Atara does not collect or maintain personally identifiable information for resale purposes, and will not share any web visitor’s personally identifiable information with any other company or organization, except to the extent that any sharing is required for the provision of services. If a web visitor does not wish to receive any email or other communication from Atara after requesting information, the web visitor may contact Atara at firstname.lastname@example.org. Atara does collect and/or maintain personally identifiable information for marketing purposes such as the creation of a personalized website experience or email advertising through the purchase of opted- in email lists.
2.3 Categories of Personal Information collected – Which types of Personal Information?
Atara collects various types of Personal Information that may include:
· Identifiers, such as title, name, address, phone number, email address, username, government identification (e.g., driver’s license, passport), photo or image, login credentials, answers to security questions, medical license number, and Internet Protocol address;
· Financial information, such as banking or credit card details;
· Demographic information, such as nationality, ethnic origin, or gender;
· Internet or other electronic network activity information, such as website navigational data, the name of the domain and host from which one accesses the Internet, the browser software used and operating system, the date and time Atara websites were accessed, and the Internet address of the website from which one directly linked to Atara websites;
· Professional or employment-related information, such as professional experience, professional qualifications, professional organization membership status;
· Education information, such as educational background, interests, preferences and favorites.
Atara may also collect other information that is not Personal Information, such as business, company or institutional information.
In addition, for certain programs and services, Atara may collect information regarding patients’ medications, medical state and history and other healthcare-related information, including, without limitation, Protected Health Information (collectively, “Health Information”), from individuals or indirectly from a third party.
2.4 COLLECTION AND PROCESSING OF PERSONAL INFORMATION
2.4.1 Principles – How does Atara collect and use Personal Information?
Where mandated by data privacy law, or where it is a matter of good practice, Atara will seek consent of data subjects to collect, use, and disclose their data consistent with the relevant privacy notice. Specific requirements may vary by jurisdiction and must always be followed.
As required under applicable law, Atara shall:
· Collect and use Personal Information only in instances where it has legal justification to do so. For example, some Atara guidelines or local laws may require explicit consent of the data subject prior to collection of his or her Personal Information as required by applicable law (e.g., informed consent for clinical research);
· Notify data subjects as to how their Personal Information will be used prior to collection of such information;
· Collect only that Personal Information which is required for the specified business purpose;
· Use Personal Information only for the specific business purpose described in the applicable consent form or privacy statement or for purposes that would be reasonably anticipated by the data subject;
· Use Personal Information in ways that do not have adversely impact the data subject unless such use is justified by law; and
· Anonymize or pseudonymize Personal Information where possible or appropriate.
Atara recognizes that responsible management of Personal Information is required to protect privacy rights and comply with data privacy laws and regulations.
Personal Information may be shared with other Atara affiliates, government agencies and third parties on a “need to know” basis for legitimate business reasons or as otherwise allowed or required by law.
Where required by applicable law, Atara will ensure an appropriate and lawful response to data subjects who exercise their individual rights to: (1) know what Personal Information is being processed and have an opportunity to correct or update it, (2) object to processing or withdraw consent to processing, as applicable, and/or (3) request correction, erasure, or blocking of their Personal Information.
Atara will take commercially reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alterations, and destruction, taking into consideration the risks involved in the processing and the nature of the Personal Information.
2.4.2 Collection of Data – How is the Personal Information collected?
Atara may collect Personal Information from the following sources:
Atara may, to the extent permitted by law, collect Personal Information from data subjects through various channels, including the websites, in surveys, during business or marketing events, and when delivering programs and services to various persons.
Atara may provide opportunities to sign up to receive specific information or services and may ask for contact information (e.g., name, home/contact address, home/contact phone number or personal/contact email address), so that we can send specific information about Atara products, services and specific health conditions, with data subjects’ consent.
When enrolling an individual in a program that Atara offers, we may obtain contact information, details of the patient’s health condition, and prescribing information relating to our products.
Atara is also obligated to collect certain Personal Information to comply with regulatory requirements, including information relating to potential adverse effects, which may be experienced when using Atara products.
Atara may indirectly collect information about patients’ health condition, diagnosis, and treatment from healthcare professionals, but only where the healthcare professional has obtained consent to disclose that information to Atara, as required by law.
Atara may, to the extent permitted by law, collect various information from healthcare professionals as part of marketing or educational activities to healthcare professionals, including first name, last name, age, gender, home/contact address, home/contact phone number, medical specialization, professional qualifications, license number and scientific society membership number.
When navigating the websites, certain passive information may also be collected. This type of information is used for the purposes of gathering data to provide improved administration of Atara websites and to improve the quality when interacting with Atara websites.
Atara may also collect information about data subjects from third-party sources to supplement information received from the data subjects. Examples of these third-party sources include marketing vendors, authentication service providers, or background check providers. From time to time, Atara may perform research (online and offline) via surveys.
Atara may collect Personal Information to enable data subjects to use online social media resources offered either by Atara or a third party. Generally, online social media resources are interactive tools that enable data subjects to collaborate and share information with others. Social media resources include, but are not limited to, social networks, discussion boards, bulletin boards, blogs, wikis, and referral functions to share web site content and tools with a friend or colleague. Atara may also enable individuals to use these social media resources to post or share Personal Information with others. When using social media resources, one should take into careful consideration what Personal Information shared with others.
2.4.3 Use of Data – What will happen to the Personal Information?
Atara, and its third party-service providers may also use Personal Information in a variety of ways, including:
· Providing information and services requested by an individual;
· Administrative purposes;
· Marketing products
· Research and development
· Other Uses: Atara may use Personal Information for which Atara has a legitimate interest, such as marketing, individual or market research, anti-fraud protection, or any other purpose disclosed.
2.5 Specific principles for Internet Users including Cookies, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising
A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to Atara websites for the following purposes: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics; and to help tailor marketing messages to the visitor based on previous browsing. Atara cookies are enabled and controlled by the Atara IT team, which is established in the United States. The online relationship with Atara may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set “Do Not Track” as a function. Please note that disabling cookies may prevent a visitor from using certain features on Atara websites.
To read more about cookies and principles for internet users please see the section below entitled: Atara Cookies Information.
Atara does not collect information through Atara websites from individuals who are known to be children under respective applicable data privacy laws, and no part of Atara online presence is directed to any children.
2.6 Transfers of Personal Information – What happens when the Personal Information goes to another country?
Atara is part of an industry that is increasingly globalized in its approach to life sciences. Personal Information will be shared across international borders as required to support global projects, particularly clinical trials and associated requirements such as safety reporting. Atara hosts Personal Information in databases in different locations throughout the world, mainly in the United States. Atara recognizes that many countries have regulations restricting the flow of Personal Information across international borders. Atara will protect the Personal Information during the transfer according to applicable laws and regulations.
2.7 California Residents
The California Consumer Privacy Act, as amended by the California Privacy Rights Acts (CCPA) grants certain rights to California residents. For this section, Personal Information has the meaning given to it under the CCPA. To the extent the CCPA applies to our processing of your Personal Information, you would be entitled to the following rights:
Right to Know and Access. You have (a) the right to know the categories of the Personal Information we have collected, sold, shared for cross-context behavioral advertising, or disclosed for a business purpose, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, sharing or disclosing Personal Information, and the categories of third parties to whom we have disclosed your Personal Information and (b) right to access the specific pieces of Personal Information we have collected about you.
Right to Deletion. You have the right to request deletion of your Personal Information collected directly from you, subject to certain exceptions.
Right to Correct. If Atara maintains inaccurate Personal Information about you, you have the right to correct such inaccurate Personal Information, taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information.
Right to Opt-Out of Selling. You have the right to opt-out of the sale of your Personal Information to third parties. Atara does not sell Personal Information subject to the CCPA that is subject to this opt-out right. Atara does not have actual knowledge that it sells Personal Information of minors under the age of sixteen (16).
Right to Opt-Out of Sharing of your Personal Information for cross-context behavioral advertising. Atara does not share your Personal Information for such advertising, and therefore does not provide this opt-out.
Right to Limit Use and Disclosure of Your Sensitive Personal Information. You have the right to request Atara to limit the use and disclosure of your sensitive Personal Information. Atara does not provide such an opt-out because it uses sensitive Personal Information subject to the CCPA for the purposes specified in the CCPA and not for inferring characteristics about you.
Right to Non-Discrimination. You have the right to not receive discriminatory treatment if and when you exercise your rights under the CCPA.
If you are a California resident and want to submit a request exercising your rights, please contact us at email@example.com or by mail at the address listed below. You must provide us with sufficient information that allows us to reasonably verify who you are and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are unable to verify your identity with the information provided, we may ask you for additional pieces of information. We may also require the Individual do either of the following: (1) verify their own identity directly with the business. (2) directly confirm us that they provided the authorized agent permission to submit the request. If you are an authorized agent making a request on behalf of another individual, you must provide us with signed documentation that you are authorized to act on behalf of that individual.
Please note that we are not obligated to respond to more than two Right to Know/Access requests for the same individual’s Personal Information within a 12-month period.
California law also permits California residents to request certain information about our disclosure of Personal Information to third parties for their own direct marketing purposes during the preceding calendar year. As discussed elsewhere in this Notice, we do not currently share the Personal Information of California residents with third parties for their own direct marketing purposes. However, if you have further questions about our privacy practices and compliance with California law, please contact us as explained below.
If you have questions or comments about our privacy practices or this Notice or to request this Notice in another form, contact us at:
Atara Biotherapeutics, Inc.
Attn: Privacy Office
2380 Conejo Spectrum St., Suite 200
Thousand Oaks, CA 91320
All communications, queries, requests to exercise data subjects’ rights (e.g., access to data), or complaints should be addressed to the attention of the Atara Data Protection Officer at firstname.lastname@example.org.
We have appointed DataRep as our Data Protection Representative in the European Union so that you can contact our Representative directly in your home country. DataRep has locations in each of the 27 EU countries, the UK, and Norway and Iceland in the European Economic Area (EEA), and specific details are provided below.
If you want to raise a privacy-related question to Atara, or otherwise exercise your rights in respect of your Personal Information, you may do so by contacting our Data Protection Officer listed above or by sending an email to DataRep at email@example.com quoting <Atara Biotherapeutics, Inc.> in the subject line, contacting us on our online webform at www.datarep.com/data-request, or mailing your inquiry to DataRep at the most convenient of the addresses indicated in the section below.
If you have any concerns about how DataRep will handle the personal data they may require to undertake their services, please refer to their privacy notice at www.datarep.com/privacy-policy.
Atara Cookies Information
Detailed Cookie, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising Information
Cookies. Cookies are small text files placed in visitors’ computer browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Site may not work properly.
Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded on the Site that collects information about users’ engagement on that web page. The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement.
Analytics. We may also use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our Services, and to develop website content. This analytics data is not tied to any Personal Information. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and Processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.
Our uses of such Technologies fall into the following general categories:
Advertising or Targeting Related. We may use first-party or Third-Party cookies and web beacons to deliver content, including ads relevant to your interests, on our sites or on Third-Party sites. This includes using technologies to understand the usefulness to you of the advertisements and content that has been delivered to you, such as whether you have clicked on an advertisement.
If you would like to opt out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.
Atara may provide websites and online resources that are specifically designed to be compatible and used on mobile devices. Atara will collect certain information that your mobile device sends when you use such websites or online resources, like a device identifier, user settings and the operating system of your device.
“Do Not Track”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Atara does not recognize or respond to browser-initiated DNT signals. For information about Do Not Track, visit http://www.allaboutdnt.org.
For more information regarding the collection and use of such information by Facebook, please see the Facebook Data Policy, available at: https://www.facebook.com/policy.php.
You can opt out of the collection and use of your information for interest-based advertising by going to http://optout.aboutads.info or http://www.youronlinechoices.eu/ to limit collection through the Website or by configuring the settings on your mobile device to limit ad tracking through the mobile applications.
Even if you opt out, we may still collect and use non-Personal Information regarding your activities on our Websites and/or information from the advertisements on Third-Party websites for non-interest-based advertising purposes, such as to determine the effectiveness of the advertisements.
Atara Data Protection Representative Contact Information
PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Atara Biotherapeutics, Inc.’, or your inquiry may not reach us. Please refer clearly to Atara Biotherapeutics, Inc. in your correspondence. On receiving your correspondence, Atara Biotherapeutics, Inc. is likely to request evidence of your identity, to ensure your Personal Information and information connected with it is not provided to anyone other than you.
If you have any concerns over how DataRep will handle the Personal Information we will require to undertake our services, please refer to its privacy notice at https://www.datarep.com/privacy-policy/.
UK data subjects may contact our Data Protection Representative as Atara’s UK Representative at the UK contact location noted here (DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom) or as below.
DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
DataRep, 72 rue de Lessard, Rouen, 76100, France
DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857,
DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
DataRep, Calle De Manzanares 4, Madrid, 28005, Spain
DataRep, St Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden
DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom