Privacy Policy

1.0 Overview

1.1 Purpose

Atara Biotherapeutics, Inc. and its operating divisions, subsidiaries, affiliates and branches (collectively, “Atara,” the “Company,” “we” or “us”) are sensitive to privacy issues, and it is important to us to protect the information, including Personal Information (as defined in Section 10 of this Global Privacy Policy), provided to us.  Accordingly, Atara provides this Global Privacy Policy to inform you about our online and offline information practices, the kinds of Personal Information we may collect, how we intend to use and share that Personal Information, and how you can correct or change such Personal Information relating to you (“Privacy Policy”).

1.2 Scope

This Privacy Policy applies to Personal Information that is collected, stored and used (“Processed” as further defined in Section 10 of this Global Privacy Policy) by Atara in the course of our business, including on Atara websites (together with any and all future websites operated by or on behalf of Atara, the “Websites”).  All individuals whose responsibilities include the Processing of Personal Information on behalf of Atara are expected to protect that data by adherence to this Privacy Policy.

Atara complies with the requirements of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively “Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use, and retention of Personal Information transferred from the European Economic Area and Switzerland to the United States.  Atara has certified to the Department of Commerce that it adheres to the Privacy Shield Principles and Supplemental Principles.  If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view Atara’s certification, please visit https:// www.privacyshield.gov.  Additionally, Atara may protect information through other legally valid methods, including international data transfer agreements.

This Policy applies to all Atara operating divisions, subsidiaries, affiliates, and branches, including its U.S. affiliates certified under the Privacy Shield and any additional subsidiary, affiliate, or branch of Atara that we may subsequently form.

2.0 Transparency/Notice–What Personal Information We Collect and How We Use It

The types of Personal Information we may collect (directly from you or from Third-Party sources) and our privacy practices depend on the nature of the relationship you have with Atara and the requirements of applicable law.  We endeavor to collect information only relevant for the purposes of Processing.  Below are the legal bases and some of the ways we collect information and how we use it.

2.1 Individuals

Atara collects Personal Information regarding its current, prospective and former clients, customers, patients, visitors and guests (collectively “Individuals”).

2.2 Information Atara Collects

The data we collect from or about Individuals includes information that may be deemed Personal Information. This includes:

  • Identifiers, such as title, name, address, phone number, email address, username, government identification (e.g., driver’s license, passport), photo or image, login credentials, answers to security questions, medical license number, and Internet Protocol address;

  • Financial information, such as banking or credit card details;

  • Demographic information, such as nationality, ethnic origin, or gender;

  • Internet or other electronic network activity information, such as website navigational data, the name of the domain and host from which you access the Internet, the browser software you use and your operating system, the date and time you access our Websites, and the Internet address of the website from which you linked directly to our Websites;

  • Professional or employment-related information, such as professional experience, professional qualifications, professional organization membership status;

  • Education information, such as educational background, interests, preferences and favorites.

We may also collect other information that is not Personal Information, such as business, company or institutional information.

In addition, if you participate in certain Atara programs or services, we may collect information regarding your medications, medical state and history and other healthcare-related information, including, without limitation, Protected Health Information (collectively, “Health Information”), from Individuals or indirectly from a Third Party. For example, we may indirectly collect information about your health condition, diagnosis, and treatment from your healthcare professional, but only where your healthcare professional has obtained your consent to disclose that information to us, as required by law.  Any Health Information that is tied to an Individual’s Personal Information will be treated as Personal Information in accordance with the applicable laws in North America, Europe, APAC, and other jurisdictions.

2.3 How Atara Collects Personal Information

Atara may collect Personal Information from the following sources:

  • Atara may, to the extent permitted by law, collect Personal Information from you through various channels, including the Websites, in surveys, during business or marketing events, and when delivering programs and services to you.

  • When you use the Websites, Atara may provide you with opportunities to sign up to receive specific information or services and may ask for your contact information (e.g., name, home/contact address, home/contact phone number or personal/contact email address), so that we can send you specific information about our products, services and specific health conditions, with your consent.

  • When you enroll in a program that Atara offers, we may obtain your contact information, details of your health condition, and prescribing information relating to our products.

  • Atara is also obligated to collect certain Personal Information to comply with regulatory requirements, including information relating to adverse effects you have experienced when using our products.

  • Atara may indirectly collect information about your health condition, diagnosis, and treatment from your healthcare professional, but only where your healthcare professional has obtained your consent to disclose that information to us, as required by law.

  • Atara may, to the extent permitted by law, collect various information from healthcare professionals as part of marketing or educational activities to healthcare professionals, including first name, last name, age, gender, home/contact address, home/contact phone number, medical specialization, professional qualifications, license number and scientific society membership number.

  • As you navigate the Websites, certain passive information may also be collected.  This type of information is used for the purposes of gathering data to provide improved administration of our Websites, and to improve the quality of your experience when interacting with our Websites.

2.4 Information from Third-Party Sources

Atara may collect information about you from Third-Party sources to supplement information provided by you.  This supplemental information allows us to verify information that you have provided to Atara and to enhance our ability to provide you with information about our business, products and services.  Atara’s agreements with these Third-Party sources typically limit how the Company may use this supplemental information.  Examples of these Third-Party sources include marketing vendors, authentication service providers, background check providers, or advertising networks.

2.5 Research/Survey Solicitations

From time to time, Atara may perform research (online and offline) via surveys.  We may engage Third-Party service providers to conduct such surveys on our behalf.  All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us better serve Individuals by learning more about their needs and the quality of the products and services we provide.  The survey responses may be utilized to determine the effectiveness of our Websites, various types of communications, advertising campaigns and/or promotional activities.  If an Individual participates in a survey, the information given will be used along with that of other study participants.  We may share anonymous individual and aggregate data for research and analysis purposes.

2.6 How Atara Uses Your Personal Information

Depending on how you interact with Atara, we and our Third Party-service providers may also use Personal Information in a variety of ways, including:

  • Providing Information and Services You Requested.  Atara may use the Personal Information about you to provide you information that you may request, e.g., information about a product or program we are offering.  Atara may also use your Personal Information to deliver a specific program or service to you, when you enroll to receive the program or service.  Such use may include: (a) generally managing your information and accounts; (b) responding to questions, comments and requests; (c) providing access to certain areas and features of the Atara Websites; and (d) permitting you to register for events or participate in webinars or other events.

  • Administrative Purposes. Atara may use the Personal Information about you for its administrative purposes, including, without limitation, to: (a) measure interest in Atara’s Websites, programs or services; (b) perform internal quality control; (c) verify identity; (d) send communications regarding the Atara Website, programs or services, your account, or any changes to any Atara policy or terms of service; (e) prevent potentially prohibited or illegal activities; and (f) enforce our Terms of Use.

  • Marketing Products and Services.  Atara may use the Personal Information about you to provide you with materials about offers, products and services offered by us, including new content or services on Atara Websites.  Atara may provide you with these materials by phone, postal mail, facsimile or email, as permitted by applicable law.  If you do not wish us to use your Personal Information for marketing purposes, you may contact us at any time to opt out of the use of your Personal Information for such purposes, as further described below.

  • Research and Development.  Atara may use your Personal Information to create non-identifiable information that we may use alone or in the aggregate with information obtained from other sources, in order to help us to optimally deliver our existing products and services or develop new products, processes and services.

  • Information Submitted Via Websites.  You agree that Atara is free to use the content of any communications or other information submitted by you via the Websites, including any narratives, images, ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or services.  However, Atara does not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a site will be published or otherwise used with your name on it; or (c) we are required to do so by law.

  • Anonymized and Aggregated Data.  Including as discussed below in Section 2.12, Atara may use and share your anonymized or aggregated information within the Atara group of companies or with Third Parties for public health, research, analytics and any other legally permissible purposes. Third Parties, as defined in Section 10 of this Global Privacy Policy, shall include the entities listed in Section 4.1 of this Policy.

  • Other Uses. Atara may use Personal Information for which we have a legitimate interest, such as direct marketing, individual or market research, anti-fraud protection, or any other purpose disclosed to you at the time you provide Personal Information or with your consent.

2.7 Social Media

Generally, online social media resources are interactive tools that enable Data Subjects, as defined in Section 10 of this Global Privacy Policy, to collaborate and share information with others.  Social media resources include, but are not limited to, social networks, discussion boards, bulletin boards, blogs, wikis, and referral functions to share web site content and tools with a friend or colleague.

Atara may collect Personal Information to enable Data Subjects to use online social media resources offered either by Atara or a Third Party.  We may also enable you to use these social media resources to post or share Personal Information with others.  When using social media resources, you should take into careful consideration what Personal Information you share with others.

If you use an online social media resource offered by a Third-Party (“Third-Party SMR”) through the Atara Website, you acknowledge that Atara may be able to access any information you make public through such Third-Party SMR (such as your username, comments, posts and contacts) and other information your privacy settings on such Third-Party SMR permit Atara to access.  Atara will comply with the terms of this Privacy Policy and the privacy policies applicable to the social media resources it uses.

2.8 Direct Mail, Email and Outbound Telemarketing

Individuals who provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, newsletters, mailings or phone calls from us with information on Atara or our business partners’ products and services or upcoming special offers/events we believe may be of interest.  We offer the option to decline these communications at no cost to the individual by following the instructions in Section 3 below.

2.9 All Internet Users–Cookies, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising

We, as well as Third Parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. We use Technologies that are essentially small data files placed on your computer, tablet, mobile phone, or other devices (referred to collectively as a “device”) that allow us to record certain pieces of information whenever you visit or interact with our sites, services, applications, messaging, and tools, and to recognize you across devices.

  • Cookies. Cookies are small text files placed in visitors’ computer browsers to store their preferences.  Most browsers allow you to block and delete cookies. However, if you do that, the Site may not work properly.

  • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded on the Site that collects information about users’ engagement on that web page.  The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement.

  • Social Media Widgets: Our Website includes social media features such as the Facebook “Like” button and LinkedIn (that might include widgets such as the “Share” button or other interactive mini-programs).  These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly.  These social media features are either hosted by a Third Party or hosted directly on our Website. Your interactions with these features are governed by the privacy policy of the company providing it.

  • Analytics. We may also use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our Services, and to develop website content. This analytics data is not tied to any Personal Information. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and Processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.

Our uses of such Technologies fall into the following general categories:

  • Operationally Necessary. We may use cookies, web beacons, or other similar technologies that are necessary to the operation of our sites, services, applications, and tools.  This includes technologies that allow you access to our sites, services, applications, and tools; that are required to identify irregular site behavior, prevent fraudulent activity and improve security; or that allow you to make use of our functions such as shopping-carts, saved search, or similar functions;

  • Performance Related. We may use cookies, web beacons, or other similar technologies to assess the performance of our websites, applications, services, and tools, including as part of our analytic practices to help us understand how our visitors use our websites, determine if you have interacted with our messaging, determine whether you have viewed an item or link, or to improve our website content, applications, services, or tools;

  • Functionality Related. We may use cookies, web beacons, or other similar technologies that allow us to offer you enhanced functionality when accessing or using our sites, services, applications, or tools.  This may include identifying you when you sign into our sites or keeping track of your specified preferences, interests, or past items viewed so that we may enhance the presentation of content on our sites;

  • Advertising or Targeting Related. We may use first-party or Third-Party cookies and web beacons to deliver content, including ads relevant to your interests, on our sites or on Third-Party sites.  This includes using technologies to understand the usefulness to you of the advertisements and content that has been delivered to you, such as whether you have clicked on an advertisement.

If you would like to opt out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.

2.10 Mobile Devices

Atara may provide websites and online resources that are specifically designed to be compatible and used on mobile devices.  Atara will collect certain information that your mobile device sends when you use such websites or online resources, like a device identifier, user settings and the operating system of your device.

Mobile versions of Atara’s Websites may require that users log in with an account.  In such cases, information about use of each mobile version of the website may be associated with user accounts.  In addition, Atara may enable Individuals to download an application, widget or other tool that can be used on mobile or other computing devices.  Some of these tools may store information on mobile or other devices.  These tools may transmit Personal Information to Atara to enable Data Subjects to access user accounts and to enable Atara to track use of these tools.  Some of these tools may enable users to email reports and other information from the tool.  Atara may use Personal Information or non-identifiable information transmitted to the Company to enhance these tools, to develop new tools, for quality improvement and as otherwise described in this Privacy Policy.

2.11 Anonymous and Aggregated Information

Atara may use your Personal Information and other information about you to create anonymized and aggregated information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access the Atara Website or other online services, or other analyses we create. Anonymized and aggregated information is used for a variety of functions, including the measurement of visitors’ interest in and use of various portions or features of the Websites.  Anonymized or aggregated information is not Personal Information, and Atara may use such information in a number of ways, including research, internal analysis, analytics and any other legally permissible purposes.  We may share this information within Atara and with Third Parties for our or their purposes in an anonymized or aggregated form that is designed to prevent anyone from identifying you.

3.0 Choice/Modalities to Opt Out

You have the right to opt out of certain uses and disclosures of your Personal Information, as set out in this Privacy Policy.

3.1 General

Where you have consented to Atara’s Processing of your Personal Information or Sensitive Personal Information, you may withdraw that consent at any time and opt out by following the instructions in this Section 3.  Additionally, before we use Personal Information for any new purpose not originally authorized by you, we will provide information regarding the new purpose and give you the opportunity to opt in.

Prior to disclosing Sensitive Data to a Third Party or Processing Sensitive Data for a purpose other than its original purpose or the purpose authorized subsequently by the Data Subject, Atara will endeavor to obtain each Data Subject’s explicit consent (opt-in).  Where consent of the Data Subject for the Processing of Personal Information is otherwise required by law or contract, Atara will comply with the law or contract.

3.2 Email and Telephone Communications

An “Unsubscribe” button will be provided at the top or bottom of each email communications sent by Atara so that you can opt out.  However, to the extent required or permitted by law, we may continue to send transaction-related emails regarding products or services you have requested in response to such request.  We may need to send you certain communications regarding the Atara programs and services and you will not be able to opt out of those communications–e.g., communications regarding updates to our Terms of Use or this Privacy Policy.

We maintain telephone “do not call” lists and “do not mail” lists as mandated by law.  We process requests to be placed on do not mail, do not phone and do not contact lists within 60 days after receipt, or such shorter time as may be required by law.

3.3 “Do Not Track”

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers.  DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services.  Atara does not recognize or respond to browser-initiated DNT signals.  For information about Do Not Track, visit http://www.allaboutdnt.com.

3.4 Advertising Choices

We may use certain tools offered by Third Parties, including those offered by Facebook, Inc. (“Facebook”), that enable such Third Party to collect or receive information about actions users take on: (a) our Website and elsewhere on the Internet through use of cookies, pixel tags and other storage technologies; or (b) an Atara mobile application and other mobile applications, in order to provide interest-based advertising.

Interest-based advertising is advertising that tries to make the ads you see more interesting and relevant to you based on the types of sites you visit online and other information that does not personally identify you.  Advertisements on Third-Party websites that contain the AdChoices link and that link to this Privacy Policy may have been directed to you based on anonymous, non-Personal Information collected by advertising partners over time and across websites.  These advertisements provide a mechanism to opt out of the advertising partners’ use of this information for interest-based advertising purposes.

For more information regarding the collection and use of such information by Facebook, please see the Facebook Data Policy, available at: https://www.facebook.com/policy.php.

You can opt out of the collection and use of your information for interest-based advertising by going to http://optout.aboutads.info or http://www.youronlinechoices.eu/ to limit collection through the Website or by configuring the settings on your mobile device to limit ad tracking through the mobile applications.

Even if you opt out, we may still collect and use non-Personal Information regarding your activities on our Websites and/or information from the advertisements on Third-Party websites for non-interest-based advertising purposes, such as to determine the effectiveness of the advertisements.

4.0 Onward Transfer

4.1 Information We Share

Atara does not sell or otherwise disclose Personal Information about you, except as described in this Privacy Policy or as you explicitly consent.  Atara endeavors to require third parties to which it discloses Personal Information to protect Personal Information using substantially-similar standards to those required by Atara, and to notify Atara if they make a determination they can no longer meet this obligation.

Atara may disclose certain categories of personal information for our business purposes.  These categories of information include identifiers, financial information, demographic information, internet or other electronic network activity information, medical information, and professional or employment related information.

4.1.1 Service Providers

Atara may share Personal Information with our service providers that we have retained to perform services on our behalf including (i) provision of IT and related services; (ii) provision of information and services you have requested; (iii) payment processing; and (iv) customer service activities.  Payment information will be used and shared only to effectuate your order and may be stored by a service provider for purposes of future orders.

Atara has executed appropriate contracts with the service providers that prohibit them from using or sharing your Personal Information except as necessary to perform the contracted services on our behalf or to comply with applicable legal requirements.

4.1.2 Business Partners

Atara may share Personal Information with our business partners and affiliates for our and our affiliates’ internal business purposes or to provide you with a product or service that you have requested.  Atara may also provide Personal Information to business partners with whom we may jointly offer products or services, or whose products or services we believe may be of interest to you.  In such cases, our business partner’s name will appear, along with Atara’s.  Atara requires our affiliates and business partners to agree in writing to maintain the confidentiality and security of Personal Information they maintain on our behalf and not to use it for any purpose other than the purpose for which it was provided.

4.1.3 Privacy Shield

With respect to onward transfers to Agents under Privacy Shield, as defined in Section 10 of this Global Privacy Policy, Privacy Shield requires that Atara remain liable should its Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.

4.1.4 Information Disclosed for Our Protection and the Protection of Others

We may disclose Personal  Information about you: (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce Atara policies or contracts; (v) to collect amounts owed to Atara; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if we, in good faith, believe that disclosure is otherwise necessary or advisable.

In addition, from time to time, server logs may be reviewed for security purposes–e.g., to detect unauthorized activity on the Websites.  In such cases, server log data containing IP addresses may be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.

4.1.5 Information Disclosed in Connection with Business Transactions

We reserve the right to disclose or transfer any Personal Information we have about you in the event of a proposed or actual purchase, any reorganization, sale, lease, merger, joint venture, assignment, amalgamation or any other type of acquisition, disposal or financing of all or any portion of our business or of any of the business assets or shares (including in connection with any bankruptcy or similar proceeding).  Should such an event occur, Atara will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Privacy Policy and the applicable laws.

4.1.6 Cooperation with Data Protection Authorities

Atara commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.

4.2 Data Transfers

All Personal Information sent or collected via or by Atara may be stored anywhere in the world, including but not limited to, in the United States, in the cloud, our servers, the servers of our affiliates or the servers of our service providers.  Your Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request.  By providing information to Atara, you consent to the storage of your Personal Information in these locations.

5.0 Rights of Access, Rectification, Erasure and Restriction

Under Privacy Shield and applicable laws in other countries such as the EU General Data Protection Regulation, you may seek confirmation regarding whether Atara is Processing Personal Information about you, request access to and a copy of Personal Information, request restriction of the processing of your Personal Information, or object to that processing, withdraw your consent to the processing of your Personal Information, request for the receipt or the transfer to another organization, in a machine-readable form, of the Personal Information that you have provided to Atara and ask that we correct, amend or delete your Personal Information where it is inaccurate or has been Processed in violation of the Privacy Shield Principles or applicable laws.  We attempt to fulfil all of your requests and comply with our related responsibilities as far as possible. If you feel that we have not addressed your requests you may use the procedures provided in Section 8 of this Privacy Policy to seek resolution of your concerns.  Such requests will be Processed in line with local laws.

Although Atara makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which Atara is unable to and would not, to the extent permitted by law, to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question or where it is commercially proprietary.  If Atara determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.  To protect your privacy, Atara will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.

6.0 Retention

Atara retains the Personal Information we receive as described in this Privacy Policy for as long as you use our Websites or as necessary to fulfill the purpose(s) for which it was collected, provide our products and services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements and comply with applicable laws.

7.0 Security

The security of all Personal Information provided to Atara is important to us, and Atara takes reasonable steps designed to protect your Personal Information.  Unfortunately, no data transmission over the Internet or storage of information can be guaranteed to be 100% secure.  As a result, while Atara strives to protect your Personal Information, we cannot ensure or warrant the security of any information you transmit to Atara, and you do so at your own risk.  You are responsible for maintaining the secrecy of your own passwords.  If you have reason to believe that your passwords or Personal Information is no longer secure, please promptly notify Atara at privacy@atarabio.com.

8.0 Redress/Compliance and Accountability

If after reviewing this Privacy Policy, you would like to submit a request, have any questions or privacy concerns, or would like information on how to lodge a complaint with the appropriate authority, please contact:


Atara will address your concerns and attempt to resolve any privacy issues in a timely manner.  If you are an EU or Swiss citizen and feel that Atara is not abiding by the terms of this Privacy Policy, please contact Atara at the contact information provided above.

In addition, Atara has agreed to refer unresolved complaints related to Personal Information to JAMS Privacy Shield Dispute Resolution Program and, with respect to Employee and human resources data, has committed to cooperate with the panel established by local data protection authorities and comply with the advice given by the panel for EU citizens and with the Swiss Federal Data Protection and Information Commissioner’s authority and advice for such data of Swiss citizens. For more information and to submit a complaint regarding Individual data to JAMS, a dispute resolution provider which has locations in the United States and EU, visit https://www.jamsadr.com/eu-us-privacy-shield.

Such independent dispute resolution mechanisms are available to citizens free of charge.  If any request remains unresolved, you may contact the national data protection authority for your EU Member State.

You may also have a right, under certain conditions, to invoke bindingarbitrationunderPrivacy Shield; for additional information, see https://www.privacyshield.gov/article?id=ANNEX-I-introduction.  The FTC has jurisdiction over Atara’s compliance with the Privacy Shield.

9.0 Identification of Data Protection Representative

We have appointed DPR Group as our Data Protection Representative in the European Union so that you can contact our Representative directly in your home country. DPR Group has locations in each of the 28 EU countries.

If you want to raise a question to Atara, or otherwise exercise your rights in respect of your Personal Information, you may do so by contacting our Data Protection Officer listed above or by:

  • sending an email to DPR Group at datainquiry@dpr.eu.com quoting <Atara Biotherapeutics, Inc.> in the subject line,

  • contacting us on our online webform at www.dpr.eu.com/datarequest, or

  • mailing your inquiry to DPR Group at the most convenient of the addresses in the subsequent pages.

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DPR Group’ and not ‘Atara Biotherapeutics, Inc.’, or your inquiry may not reach us. Please refer clearly to Atara Biotherapeutics, Inc. in your correspondence. On receiving your correspondence, Atara Biotherapeutics, Inc. is likely to request evidence of your identity, to ensure your Personal Information and information connected with it is not provided to anyone other than you.

If you have any concerns over how DPR Group will handle the Personal Information we will require to undertake our services, please refer to its privacy notice at https://www.dpr.eu.com/legal-privacy.




DPR Group, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria


DPR Group, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium


DPR Group, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria


DPR Group, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia


DPR Group, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus



DPR Group, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic


DPR Group, Lautruphøj 1-3, Ballerup, 2750, Denmark


DPR Group, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia


DPR Group, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland


DPR Group, 72 rue de Lessard, Rouen, 76100, France


DPR Group, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany


DPR Group, 24 Lagoumitzi str, Athens, 17671, Greece


DPR Group, Kálmán Imre utca 1, Budapest, 1054, Hungary


DPR Group, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland


DPR Group, BPM 335368, Via Roma 12, 10073, Ciriè TO, Italy


DPR Group, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia


DPR Group, 44A Gedimino Avenue, 01110 Vilnius, Lithuania


DPR Group, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg


DPR Group, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta


DPR Group, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands


DPR Group, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland


DPR Group, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal


DPR Group, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania


DPR Group, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia


DPR Group, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia


DPR Group, Puerta de las Naciones, Ribera del Loira 46, Madrid, 28042, Spain


DPR Group, St Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden



DPR Group, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom

10.0 Other Rights and Important Information

10.1 Information Regarding Children

With the exception of collection of information pursuant to clinical trials or in the SPU setting, due to the nature of Atara’s business, services and benefits are not marketed to minors.  Atara does collect this information from minors pursuant to appropriate parental consents when they are enrolled in our clinical trials or when their treating physician requests cells for treatment pursuant to our SPU program. Atara does not knowingly solicit or collect Personal Information from children under the age of 18 outside of the context of clinical trials or the SPU setting.  If we learn that we have collected Personal Information from a child under the age of 18, we will promptly delete that information.

10.2 Links to Third-Party Websites

Please note that our Websites may contain links to other websites for your convenience and information.  Atara does not control Third-Party websites or their privacy practices, which may differ from those set out in this Privacy Policy.  Atara does not endorse or make any representations about Third-Party websites.  Any Personal Information you choose to give to unrelated Third Parties is not covered by this Privacy Policy.  Atara encourages you to review the privacy policy of any company or website before submitting your Personal Information.  Some Third Parties may choose to share their users’ Personal Information with Atara; that sharing is governed by that company’s privacy policy, not this Privacy Policy.

10.3 Changes to the Privacy Policy

Atara may update this Privacy Policy from time to time as it deems necessary in its sole discretion.  If there are any material changes to this Privacy Policy, Atara will notify you by email or as otherwise required by applicable law.  Atara encourages you to review this Privacy Policy periodically to be informed regarding how Atara is using and protecting your information and to be aware of any policy changes.  Your continued relationship with Atara after the posting or notice of any amended Privacy Policy shall constitute your agreement to be bound by any such changes.  Any changes to this Privacy Policy take effect immediately after being posted or otherwise provided by Atara.

10.4 Compliance

This Privacy Policy shall be implemented by Atara and all its operating divisions, subsidiaries and affiliates.  Atara has put in place mechanisms to verify ongoing compliance with Privacy Shield Principles, related applicable laws in other countries and this Privacy Policy.

11.0 Definitions

“Agent” means any Third-Party that processes Personal Information pursuant to the instructions of, and solely for, Atara or to which Atara discloses Personal Information for use on its behalf.

“Data Subject” or “Individual” is an identified or identifiable natural person. A Data Subject may be an Employee, an Individual or any other natural person.

“Employee” refers to any current, temporary, permanent, prospective or former employee, director, contractor, worker or retiree of Atara or its subsidiaries worldwide.

“Personal Information” is any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 “Privacy Shield” means the seven (7) principles of the Privacy Shield Framework: (1) notice, (2), choice, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability. Additionally, it includes the sixteen (16) supplemental principles described in the Privacy Shield: (1) sensitive data, (2) journalistic exceptions, (3) secondary liability, (4) performing due diligence and conducting audits, (5) the role of the data protection authorities, (6) self-certification, (7) verification, (8) access, (9) human resources data, (10) obligatory contracts for onward transfers, (11) dispute resolution and enforcement, (12) choice – timing of opt-out, (13) travel information, (14) pharmaceutical and medical products, (15) public record and publicly available information, and (16) access requests by public authorities.

 “Process” or “Processing” means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Protected Health Information” is a subset of Personal Information and has the meaning set out in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), and in particular at 45 C.F.R. § 160.103, as it may be amended from time to time.

“Sensitive Data” or “Sensitive Personal Information” is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections.  Sensitive Personal Information includes Personal Information regarding EU residents that is classified as a “Special Category of Personal Data” under EU law, which consists of the following data elements: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) genetic data; (6) biometric data where Processed to uniquely identify a person; (6) health information; (7) sexual orientation or information about the individual’s sex life; or (8) information relating to the commission of a criminal offense.

“SPU” or “Single Patient Use” is a term commonly used to describe the use of an Atara product by a single patient outside of a clinical trial of an investigational medical product (i.e., one that has not been approved by FDA) through a compassionate use program.

“Third-Party” is any natural or legal person, public authority, agency or body other than the Data Subject, Atara or Atara’s agents.