Privacy Policy

1.0            OVERVIEW

1.1            PURPOSE

In the course of pursuing its mission of developing new therapies, Atara Biotherapeutics, Inc. and its affiliates, (“Atara”) collects and analyzes personal information of various individuals, including patients, vendors and healthcare professionals.

Atara is committed to continuing compliance with the evolving legal and regulatory standards for privacy and data protection applicable in the countries and regions where it conducts its activities.

1.2            SCOPE

These Privacy Principles (the “Principles”) represent Atara’s global privacy standards and apply to all Personal Information collected, processed, shared, or used by Atara in the context of its various activities.

2.0            POLICY

2.1            Definition of Personal Information – What is Personal Information?

“Personal Information” means all information that relates to an individual (also called a data subject) or information that can be used to identify a person, both directly (e.g., name or photograph) and indirectly (e.g., a medical insurance number, position in a company, or a study code assigned in a clinical trial).  In some countries, Personal Information may also include information such as medical device serial numbers, biological samples, internet protocol addresses, or information relating to a company. It also includes to the extent applicable “personal information” or “personal data” protected under applicable laws and regulations.

2.2            Data Subjects – Who are the Data Subjects?

Atara processes Personal Information from the following data subjects fairly and lawfully:

·        Patients’ Personal Information.  To enhance privacy, data subjects’ names and other direct identifiers are not attached to records or samples collected by Atara for research purposes. Instead, data subjects are only identified by a code.

·        Healthcare Professionals Personal Information.  Atara analyzes the professional profiles of doctors and other healthcare providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications or otherwise collaborating with Atara or for marketing purposes. Atara more generally collects and processes healthcare professional’s Personal Information for the purposes of executing specific agreements to assist in clinical or medical research and other aspects of product development.

·        Employees’ Personal Information. Atara collects and processes employees’ Personal Information to honor employment agreements. Atara also processes Personal Information of job applicants, or to a certain extent, ex-employees, as appropriate.

·        Vendors’ Personal Information. Atara interacts with various third parties and needs to record certain Personal Information of their staff to be able to conduct activities together.

·        Web Visitors Data.  Atara collects Personal Information about visitors to company websites through the voluntary provision of the information by the data subject, e.g., where a data subject applies via the website for an open position or submits inquiries to the requests medical or scientific information about Atara’s investigational products.  Through the use of cookie-based technologies, Atara may collect various data linked to virtual identities allocated to visitors when they access Atara websites. See section 2.5 and Atara Cookies Information for more details.

Atara does not collect or maintain personally identifiable information for resale purposes, and will not share any web visitor’s personally identifiable information with any other company or organization, except to the extent that any sharing is required for the provision of services. If a web visitor does not wish to receive any email or other communication from Atara after requesting information, the web visitor may contact Atara at privacy@atarabio.com. Atara does collect and/or maintain personally identifiable information for marketing purposes such as the creation of a personalized website experience or email advertising through the purchase of opted- in email lists.

2.3            Categories of Personal Information collected – Which types of Personal Information?

Atara collects various types of Personal Information that may include:

·        Identifiers, such as title, name, address, phone number, email address, username, government identification (e.g., driver’s license, passport), photo or image, login credentials, answers to security questions, medical license number, and Internet Protocol address;

·        Financial information, such as banking or credit card details;

·        Demographic information, such as nationality, ethnic origin, or gender;

·        Internet or other electronic network activity information, such as website navigational data, the name of the domain and host from which one accesses the Internet, the browser software used and operating system, the date and time Atara websites were accessed, and the Internet address of the website from which one directly linked to Atara websites;

·        Professional or employment-related information, such as professional experience, professional qualifications, professional organization membership status;

·        Education information, such as educational background, interests, preferences and favorites.

Atara may also collect other information that is not Personal Information, such as business, company or institutional information.

In addition, for certain programs and services, Atara may collect information regarding patients’ medications, medical state and history and other healthcare-related information, including, without limitation, Protected Health Information (collectively, “Health Information”), from individuals or indirectly from a third party.

2.4             COLLECTION AND PROCESSING OF PERSONAL INFORMATION

2.4.1       Principles – How does Atara collect and use Personal Information?

Where mandated by data privacy law, or where it is a matter of good practice, Atara will seek consent of data subjects to collect, use, and disclose their data consistent with the relevant privacy notice. Specific requirements may vary by jurisdiction and must always be followed.

As required under applicable law, Atara shall:

·        Collect and use Personal Information only in instances where it has legal justification to do so.  For example, some Atara guidelines or local laws may require explicit consent of the data subject prior to collection of his or her Personal Information as required by applicable law (e.g., informed consent for clinical research);

·        Notify data subjects as to how their Personal Information will be used prior to collection of such information;

·        Collect only that Personal Information which is required for the specified business purpose;

·        Use Personal Information only for the specific business purpose described in the applicable consent form or privacy statement or for purposes that would be reasonably anticipated by the data subject;

·        Use Personal Information in ways that do not have adversely impact the data subject unless such use is justified by law; and

·        Anonymize or pseudonymize Personal Information where possible or appropriate.

Atara recognizes that responsible management of Personal Information is required to protect privacy rights and comply with data privacy laws and regulations.

Personal Information may be shared with other Atara affiliates, government agencies and third parties on a “need to know” basis for legitimate business reasons or as otherwise allowed or required by law.

Where required by applicable law, Atara will ensure an appropriate and lawful response to data subjects who exercise their individual rights to: (1) know what Personal Information is being processed and have an opportunity to correct or update it, (2) object to processing or withdraw consent to processing, as applicable, and/or (3) request correction, erasure, or blocking of their Personal Information.

Atara will take commercially reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alterations, and destruction, taking into consideration the risks involved in the processing and the nature of the Personal Information.

Atara websites may contain links to websites outside of Atara. Linked websites are not under the control of or endorsed by Atara. These Principles do not apply to linked websites outside the Atara organization. It is recommended that visitors review the privacy policy of each individually linked website.

2.4.2       Collection of Data – How is the Personal Information collected?

Atara may collect Personal Information from the following sources:

Atara may, to the extent permitted by law, collect Personal Information from data subjects through various channels, including the websites, in surveys, during business or marketing events, and when delivering programs and services to various persons.

Atara may provide opportunities to sign up to receive specific information or services and may ask for contact information (e.g., name, home/contact address, home/contact phone number or personal/contact email address), so that we can send specific information about Atara products, services and specific health conditions, with data subjects’ consent.

When enrolling an individual in a program that Atara offers, we may obtain contact information, details of the patient’s health condition, and prescribing information relating to our products.

Atara is also obligated to collect certain Personal Information to comply with regulatory requirements, including information relating to potential adverse effects, which may be experienced when using Atara products.

Atara may indirectly collect information about patients’ health condition, diagnosis, and treatment from healthcare professionals, but only where the healthcare professional has obtained consent to disclose that information to Atara, as required by law.

Atara may, to the extent permitted by law, collect various information from healthcare professionals as part of marketing or educational activities to healthcare professionals, including first name, last name, age, gender, home/contact address, home/contact phone number, medical specialization, professional qualifications, license number and scientific society membership number.

When navigating the websites, certain passive information may also be collected.  This type of information is used for the purposes of gathering data to provide improved administration of Atara websites and to improve the quality when interacting with Atara websites.

Atara may also collect information about data subjects from third-party sources to supplement information received from the data subjects. Examples of these third-party sources include marketing vendors, authentication service providers, or background check providers. From time to time, Atara may perform research (online and offline) via surveys.

Atara may collect Personal Information to enable data subjects to use online social media resources offered either by Atara or a third party.  Generally, online social media resources are interactive tools that enable data subjects to collaborate and share information with others.  Social media resources include, but are not limited to, social networks, discussion boards, bulletin boards, blogs, wikis, and referral functions to share web site content and tools with a friend or colleague.  Atara may also enable individuals to use these social media resources to post or share Personal Information with others.  When using social media resources, one should take into careful consideration what Personal Information shared with others.

When using an online social media resource offered by a third-party through the Atara website, the user acknowledges that Atara may be able to access any information made public through such third-party (such as username, comments, posts and contacts) and other information the privacy settings on such third-party permit Atara to access.  Atara will comply with the terms of this Privacy Policy and the privacy policies applicable to the social media resources it uses.

2.4.3       Use of Data – What will happen to the Personal Information?

Atara, and its third party-service providers may also use Personal Information in a variety of ways, including:

·        Providing information and services requested by an individual;

·        Administrative purposes;

·        Marketing products

·        Research and development

·        Other Uses: Atara may use Personal Information for which Atara has a legitimate interest, such as marketing, individual or market research, anti-fraud protection, or any other purpose disclosed.

2.5            Specific principles for Internet Users including Cookies, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising

A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to Atara websites for the following purposes: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics; and to help tailor marketing messages to the visitor based on previous browsing. Atara cookies are enabled and controlled by the Atara IT team, which is established in the United States. The online relationship with Atara may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set “Do Not Track” as a function. Please note that disabling cookies may prevent a visitor from using certain features on Atara websites.

To read more about cookies and principles for internet users please see the section below entitled: Atara Cookies Information.

Atara does not collect information through Atara websites from individuals who are known to be children under respective applicable data privacy laws, and no part of Atara online presence is directed to any children.

2.6            Transfers of Personal Information – What happens when the Personal Information goes to another country?

Atara is part of an industry that is increasingly globalized in its approach to life sciences. Personal Information will be shared across international borders as required to support global projects, particularly clinical trials and associated requirements such as safety reporting. Atara hosts Personal Information in databases in different locations throughout the world, mainly in the United States. Atara recognizes that many countries have regulations restricting the flow of Personal Information across international borders. Atara will protect the Personal Information during the transfer according to applicable laws and regulations.

2.7            California Residents

The California Consumer Privacy Act, as amended by the California Privacy Rights Acts (CCPA) grants certain rights to California residents.  For this section, Personal Information has the meaning given to it under the CCPA.  To the extent the CCPA applies to our processing of your Personal Information, you would be entitled to the following rights:

Right to Know and Access.  You have (a) the right to know the categories of the Personal Information we have collected, sold, shared for cross-context behavioral advertising, or disclosed for a business purpose, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, sharing or disclosing Personal Information, and the categories of third parties to whom we have disclosed your Personal Information and (b) right to access the specific pieces of Personal Information we have collected about you.

Right to Deletion. You have the right to request deletion of your Personal Information collected directly from you, subject to certain exceptions.

Right to Correct. If Atara maintains inaccurate Personal Information about you, you have the right to correct such inaccurate Personal Information, taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information.

Right to Opt-Out of Selling. You have the right to opt-out of the sale of your Personal Information to third parties. Atara does not sell Personal Information subject to the CCPA that is subject to this opt-out right.    Atara does not have actual knowledge that it sells Personal Information of minors under the age of sixteen (16).

Right to Opt-Out of Sharing of your Personal Information for cross-context behavioral advertising.  Atara does not share your Personal Information for such advertising, and therefore does not provide this opt-out.

Right to Limit Use and Disclosure of Your Sensitive Personal Information.  You have the right to request Atara to limit the use and disclosure of your sensitive Personal Information.  Atara does not provide such an opt-out because it uses sensitive Personal Information subject to the CCPA for the purposes specified in the CCPA and not for inferring characteristics about you.

Right to Non-Discrimination. You have the right to not receive discriminatory treatment if and when you exercise your rights under the CCPA.

If you are a California resident and want to submit a request exercising your rights, please contact us at privacy@atarabio.com or by mail at the address listed below. You must provide us with sufficient information that allows us to reasonably verify who you are and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are unable to verify your identity with the information provided, we may ask you for additional pieces of information. We may also require the Individual do either of the following: (1) verify their own identity directly with the business. (2) directly confirm us that they provided the authorized agent permission to submit the request. If you are an authorized agent making a request on behalf of another individual, you must provide us with signed documentation that you are authorized to act on behalf of that individual.

Please note that we are not obligated to respond to more than two Right to Know/Access requests for the same individual’s Personal Information within a 12-month period.

California law also permits California residents to request certain information about our disclosure of Personal Information to third parties for their own direct marketing purposes during the preceding calendar year. As discussed elsewhere in this Notice, we do not currently share the Personal Information of California residents with third parties for their own direct marketing purposes. However, if you have further questions about our privacy practices and compliance with California law, please contact us as explained below.

CONTACT INFORMATION

If you have questions or comments about our privacy practices or this Notice or to request this Notice in another form, contact us at:

Atara Biotherapeutics, Inc.
Attn: Privacy Office
2380 Conejo Spectrum St., Suite 200
Thousand Oaks, CA 91320
privacy@atarabio.com

2.8            Contact

All communications, queries, requests to exercise data subjects’ rights (e.g., access to data), or complaints should be addressed to the attention of the Atara Data Protection Officer at privacy@atarabio.com.

We have appointed DataRep as our Data Protection Representative in the European Union so that you can contact our Representative directly in your home country. DataRep has locations in each of the 27 EU countries, the UK, and Norway and Iceland in the European Economic Area (EEA), and specific details are provided below.

If you want to raise a privacy-related question to Atara, or otherwise exercise your rights in respect of your Personal Information, you may do so by contacting our Data Protection Officer listed above or by sending an email to DataRep at datarequest@datarep.com quoting <Atara Biotherapeutics, Inc.> in the subject line, contacting us on our online webform at www.datarep.com/data-request, or mailing your inquiry to DataRep at the most convenient of the addresses indicated in the section below.

If you have any concerns about how DataRep will handle the personal data they may require to undertake their services, please refer to their privacy notice at www.datarep.com/privacy-policy.

 

Atara Cookies Information

Detailed Cookie, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising Information

Atara, as well as third parties that provide content, advertising, or other functionality on Atara services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. We use Technologies that are essentially small data files placed on your computer, tablet, mobile phone, or other devices (referred to collectively as a “device”) that allow us to record certain pieces of information whenever you visit or interact with Atara sites, services, applications, messaging, and tools, and to recognize you across devices.

Cookies. Cookies are small text files placed in visitors’ computer browsers to store their preferences.  Most browsers allow you to block and delete cookies. However, if you do that, the Site may not work properly.

Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded on the Site that collects information about users’ engagement on that web page.  The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement.

Social Media Widgets. Our Website may include social media features such as the Facebook “Like” button and LinkedIn (that might include widgets such as the “Share” button or other interactive mini-programs).  These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly.  These social media features are either hosted by a Third Party or hosted directly on our Website. Your interactions with these features are governed by the privacy policy of the company providing it.

Analytics. We may also use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our Services, and to develop website content. This analytics data is not tied to any Personal Information. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and Processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.

Our uses of such Technologies fall into the following general categories:

Operationally Necessary. We may use cookies, web beacons, or other similar technologies that are necessary to the operation of our sites, services, applications, and tools.  This includes technologies that allow you access to our sites, services, applications, and tools; that are required to identify irregular site behavior, prevent fraudulent activity and improve security; or that allow you to make use of our functions such as shopping-carts, saved search, or similar functions;

Performance Related. We may use cookies, web beacons, or other similar technologies to assess the performance of our websites, applications, services, and tools, including as part of our analytic practices to help us understand how our visitors use our websites, determine if you have interacted with our messaging, determine whether you have viewed an item or link, or to improve our website content, applications, services, or tools;

Functionality Related. We may use cookies, web beacons, or other similar technologies that allow us to offer you enhanced functionality when accessing or using our sites, services, applications, or tools.  This may include identifying you when you sign into our sites or keeping track of your specified preferences, interests, or past items viewed so that we may enhance the presentation of content on our sites;

Advertising or Targeting Related. We may use first-party or Third-Party cookies and web beacons to deliver content, including ads relevant to your interests, on our sites or on Third-Party sites.  This includes using technologies to understand the usefulness to you of the advertisements and content that has been delivered to you, such as whether you have clicked on an advertisement.

If you would like to opt out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.

Mobile Devices

Atara may provide websites and online resources that are specifically designed to be compatible and used on mobile devices.  Atara will collect certain information that your mobile device sends when you use such websites or online resources, like a device identifier, user settings and the operating system of your device.

Mobile versions of Atara’s Websites may require that users log in with an account.  In such cases, information about use of each mobile version of the website may be associated with user accounts.  In addition, Atara may enable Individuals to download an application, widget or other tool that can be used on mobile or other computing devices.  Some of these tools may store information on mobile or other devices.  These tools may transmit Personal Information to Atara to enable Data Subjects to access user accounts and to enable Atara to track use of these tools.  Some of these tools may enable users to email reports and other information from the tool.  Atara may use Personal Information or non-identifiable information transmitted to the Company to enhance these tools, to develop new tools, for quality improvement and as otherwise described in this Privacy Policy.

“Do Not Track”

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers.  DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services.  Atara does not recognize or respond to browser-initiated DNT signals.  For information about Do Not Track, visit http://www.allaboutdnt.org.

Advertising Choices

We may use certain tools offered by Third Parties, including those offered by Facebook, Inc. (“Facebook”), that enable such Third Party to collect or receive information about actions users take on: (a) our Website and elsewhere on the Internet through use of cookies, pixel tags and other storage technologies; or (b) an Atara mobile application and other mobile applications, in order to provide interest-based advertising.

Interest-based advertising is advertising that tries to make the ads you see more interesting and relevant to you based on the types of sites you visit online and other information that does not personally identify you.  Advertisements on Third-Party websites that contain the AdChoices link and that link to this Privacy Policy may have been directed to you based on anonymous, non-Personal Information collected by advertising partners over time and across websites.  These advertisements provide a mechanism to opt out of the advertising partners’ use of this information for interest-based advertising purposes.

For more information regarding the collection and use of such information by Facebook, please see the Facebook Data Policy, available at: https://www.facebook.com/policy.php.

You can opt out of the collection and use of your information for interest-based advertising by going to http://optout.aboutads.info or http://www.youronlinechoices.eu/ to limit collection through the Website or by configuring the settings on your mobile device to limit ad tracking through the mobile applications.

Even if you opt out, we may still collect and use non-Personal Information regarding your activities on our Websites and/or information from the advertisements on Third-Party websites for non-interest-based advertising purposes, such as to determine the effectiveness of the advertisements.

 

Atara Data Protection Representative Contact Information

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Atara Biotherapeutics, Inc.’, or your inquiry may not reach us. Please refer clearly to Atara Biotherapeutics, Inc. in your correspondence. On receiving your correspondence, Atara Biotherapeutics, Inc. is likely to request evidence of your identity, to ensure your Personal Information and information connected with it is not provided to anyone other than you.

If you have any concerns over how DataRep will handle the Personal Information we will require to undertake our services, please refer to its privacy notice at https://www.datarep.com/privacy-policy/.

UK data subjects may contact our Data Protection Representative as Atara’s UK Representative at the UK contact location noted here (DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom) or as below.

Country	Address
Austria	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium	DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria	DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia	DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus	DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic	DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark	DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia	DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland	DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France	DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany	DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece	DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary	DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland	DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland	DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy	DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia	DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania	DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg	DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta	DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands	DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway	DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland	DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal	DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania	DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
Slovakia	DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia	DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain	DataRep, Calle De Manzanares 4, Madrid, 28005, Spain
Sweden	DataRep, St Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden
United Kingdom	DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom