BATAVIA BIOSCIENCES PRIVACY STATEMENT
Version September 2022
1. General information
This Privacy Statement informs you about how Batavia Biosciences B.V. (referred to in this Privacy Statement as “Batavia”, “we”, “our”, or “us”) processes personal data of Website Visitors, (potential) Business Relations and Job Applicants (together referred to as “Individuals”). Batavia is an entity incorporated under the laws of the Netherlands. The Batavia Website (referred to in this Privacy Statement as “Website”) is owned and operated by Batavia Biosciences B.V.
2. Which data is used and for what purposes?
Processing data of Website Visitors
We process data for providing, maintaining and improving our Website. For more specific information on the cookies and similar technologies used in this respect, please refer to our Batavia Cookie Statement.
- The persons involved. Website Visitors: people who visit the Website.
- The purpose of the processing. When a Website Visitor visits the Website and / or contacts us via the contact form on the Website or via e-mail, we will process your information for the following purposes:
- For the functioning, maintaining and improving of the Website;
- For providing and improving our services;
- For communication and sales purposes, including direct marketing; and
- For handling any requests, complaints and disputes.
- The personal data that is processed. When a Website Visitor visits the Website or contacts us, we may process the following information:
- IP address.
- Device ID.
- Browser type.
- Browser language setting.
- Other technical information, such as regarding the interaction between the Website Visitor’s device and the Website, the web pages that were visited, and the log data.
- Aggregate data related to demographics, location, new or returning visitor, frequency of visitation and whether the visitor is mobile or not.
- Information provided to us by the contact form, including your name, e-mail address, country, company and your message.
- Information provided to us by e-mail or phone.
Special categories of personal data and sensitive information:
In the context of the Website we do not, in principle, process special categories of personal data and / or sensitive information.
- Legal grounds for the processing. We base the use of the Website Visitor’s data on our legitimate interest in offering and securing our Website, and pursuing the other processing purposes listed above. For the collection and use of certain categories of personal data collected via cookies and similar technologies, we will ask for your consent via the cookie banner on the website. For more information please see the Cookie Statement. If you want more information about this, you can contact us directly via our contact details stated below.
Processing data of (potential) Business Relations
- The persons involved. (Potential) Business Relations: suppliers that provide services to us or our customers, our customers and visitors of our Batavia locations and events.
- The purpose of the processing. We will process your information for the following purposes:
- For Batavia internal business processes, for the promotion and provision of our services, creating and managing our business relations and receiving services from our Business Relations, such as:
- Finance, including sending, receiving, processing and payment of invoices of business relations, tax;
- quality assurance;
- quality control;
- science and innovation, including patent applications;
- communication, marketing and sales, including organizing events and marketing campaigns; and
- operations, including registration of the use of biological materials.
- The data that is processed. We may process the following information:
- Full name of the point of contact of the business relation.
- Contact details including business e-mail address.
- Bank and Giro account number.
- Tax ID number.
- ORCID – identification of researchers.
- Information provided to us by the contact form on the Website, e-mailing us or contacting us by phone or postal mail.
Special categories of personal data and sensitive information:
We do not, in principle, process special categories of personal data and sensitive information related to our Business Relations.
- Legal grounds for the processing. We base the use of the data on our legitimate interest for pursuing the other processing purposes listed above, for the performance of a contract to which the Business Relation is party or in order to take steps at the request of the Business Relation prior to entering into a contract, and based on legal obligations to comply with for example tax regulations.
Processing data of Job-Applicants
We process data in the context of hiring new employees.
- The persons involved. Job-applicants: people who apply for a vacancy at Batavia.
- The purpose of the processing. We will process your information for the assessment of the Job-Applicants suitability for a position that is or may become vacant.
- The data that is processed. We may process the following categories of personal data:
- Full name.
- Contact details, including e-mail address.
- Resume and / or other recruitment information.
- Data of birth.
- Information about the position, including job title, date of employment, salary, allowances, certifications, performance data and other sums of money and rewards.
- Other information provided to us via the Website, by e-mail or contacting us by phone or postal mail.
Special categories of personal data and sensitive information:
We do not, in principle, process special categories of personal data and / or sensitive information relating to Job-Applicants.
- Legal grounds for the processing. We base the use of the personal data on our legitimate interest in selecting the best candidates for Batavia and in order to take steps at the request of the Job Applicant prior to entering into a contract. If you want more information about this, you can contact us directly via our contact details stated below. We may process your personal data based on consent in order to retain your application file for one year, in case we couldn’t provide you a job.
In addition to the specific interests per purpose as specified above, we may process your personal data based on our legitimate interest for the following purposes:
- For determining, exercising and defending our rights;
- For complying with legal obligations (incl. fraud prevention) and requests of authorized governmental institutions; and
- In the context of mergers and acquisitions, including due diligence projects.
3. How do we obtain data?
We obtain personal data about an Individual in various ways:
- Provided by the Individual. Some data we receive straight from you, for example when we are contacted via the contact details listed below or via the contact form on the Website.
- Obtained internally. It is possible that we obtain your personal data from other Batavia systems.
- Obtained from third parties. We could also obtain personal data about you from other persons or external parties. Examples include your colleagues or other parties who are involved with our mutual relationship, and public registers of company directors and participating interests.
- Automatically obtained. Some personal data we obtain automatically, for example by using cookies and similar techniques. For more information about cookies and similar techniques, go to the Batavia Cookie Statement.
- Certain personal data we do not receive directly, but can be derived from the information already in our possession.
In principle you are under no obligation to provide any information about yourself to us. However, refusal to supply certain information could have a negative influence on, for example, our service provision to you or the functionality of the services that you use from us. We may, for instance, require your signature to conclude an agreement and certain parts of our Website may function less in case cookies are blocked.
If the provision of certain personal data is a legal or contractual obligation or an essential requirement for concluding an agreement with us, we will separately provide additional information about this for as far as this is not clear in advance. In this case we will also inform you about the possible consequences if this information is not provided.
4. Who do we share data with?
We only share Individuals data with third parties if:
- This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision and will not be allowed to process the data for their own purposes.
- The persons within the third party that have access to the personal data are under an obligation to treat this data confidentially. Where necessary this is also contractually agreed on.
- The third party is obliged to comply with the applicable regulations for the protection of personal data, for instance because we have concluded an agreement with this party. This includes that the party is obliged to ensure appropriate technical and organizational security measures, and that any transfer of personal data to countries outside the EEA is adequately legitimized.
We could share an Individuals data on a need-to-know basis with the parties mentioned below:
- Authorized persons, employed or engaged by Batavia, who are involved with the processing activity concerned, on a need-to-know-basis.
- Authorized persons, employed or engaged by affiliated companies and/or parties in the private sector with whom we work and may share certain personal data, on a need-to-know-basis (e.g. recruitment agencies).
- Authorized persons, employed or engaged by service providers / sub-contractors engaged by Batavia, who are involved with the processing activity concerned, on a need-to-know-basis.
- Authorized government institutions. Such as, courts, police, and law enforcement agencies. We may release information about Individuals when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with Batavia’s policies and the applicable laws. We may also disclose such information whenever we believe disclosure is necessary to protect the rights, property or safety of Batavia, or any of our respective Business Relations.
- Aggregate Information. We may also disclose non-identifying, aggregated statistical information to third parties and / or Batavia affiliates for a variety of purposes, including work-flow management.
5. How do we secure data?
Protecting the Individuals’ privacy and personal data is very important to us. Therefore, Batavia has implemented appropriate technical and organizational measures to protect and secure the personal data we process, in order to prevent violations of the confidentiality, integrity and availability of data.
Batavia has internal documentation in which it is described how we safeguard an appropriate level of technical and organizational security. In addition, a data breach procedure is applicable within Batavia, in which it is explained how (potential) data breaches need to be handled. We will, for example, inform the competent supervisory authority and involved data subjects when this is required by the applicable law. All Batavia employees and other persons engaged by Batavia for the processing of personal data are obliged to ensure the confidentiality of this data.
6. To which countries will we transfer data?
If necessary, we may transfer personal data to third parties located outside the European Economic Area (EEA). We may share personal data with Business Relations located outside the EEA and our affiliates located in the United States of America and Hong Kong. In case the data is processed outside the EEA, the transfer is legitimized in the manner described below. You can find an overview of the EEA countries here: https://ind.nl/en/Pages/eu-eea-countries.aspx.
Transfers outside the EEA. The transfer of personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Commission, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. On the website of the European Commission, you can find an overview of the adequacy decisions that have been taken.
If personal data is transferred to a country outside the EEA for which there is no adequacy decision, we agree on the applicability of the relevant version of the Standard Contractual Clauses with the relevant party. This is a standard contract to safeguard the protection of personal data, which is approved by the European Commission, in which the parties fill out the appendices. Where appropriate, additional safeguards are taken.
You can contact us if you want additional information about the way in which we legitimize the transfer of personal data to countries outside the EEA. Our contact details are stated at the bottom of this Privacy Statement.
7. How do we determine how long we retain data?
In general, Batavia does not keep personal data for longer than what is necessary in relation to the purposes for which we process the personal data. There could however be exceptions applicable to the general retention terms.
Exception: shorter retention period. If an Individual exercises certain privacy rights, it is possible that we retain it for a shorter period of time.
Exception: longer retention period. In certain situations, we process personal data of Individuals for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process personal data for a longer period of time:
- Retention obligation. To comply with a minimum retention period or other legal obligation to which Batavia is subject based on EU law or the law of an EU member state;
- Personal data which is necessary in relation to a legal procedure;
- Freedom of expression. When further processing of personal data is necessary in order to exercise the right to freedom of expression and information.
- For example: With the Job Applicant’s consent, we retain their data for one year as of finalization of the application procedure instead of 4 weeks.
8. Which privacy rights apply (incl. right to object)?
Based on the General Data Protection Regulation (“GDPR”; (EU) 2016/679) Individuals have various privacy rights. To what extent these rights can be exercised, may depend on the circumstances of the processing, such as the manner in which Batavia processes the personal data and the legal basis for the processing. Below we included a summary of the relevant privacy rights under the GDPR. For more information about this, you can visit the website of the European Commission.
We will respond to all requests without undue delay. If our full response will ever take more than a month due to the complexity or number of requests, we will inform you on this. Furthermore, please note that we may request more information to confirm the identity of the person filing the request – thus the Individual or its legal representation – before acting on any request.
8.1 Applicable privacy rights.
In relation to our processing of the Individual’ personal data, the below privacy rights apply.
- Right of access. This concerns the right to request access to Individual’s personal data. This enables the Individual or its legal representation to receive a copy of the data we hold about the Individual (but not necessarily the files themselves). We will then also provide further specifics of our processing of the personal data. For example, the purposes for which we process the data, where we got it from, and with whom we share it.
- Right to rectification. This concerns the right to request rectification of the data that we hold about the Individual. This enables the Individual or its legal representation to have any incomplete or inaccurate data corrected.
- Right to erasure. This concerns the right to request erasure of the data. This enables the Individual or its legal representation to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (ii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honor such request in all cases.
- Right to object. This concerns the right to object to the processing of personal data where we are relying on legitimate interest as processing ground (see above). Insofar as the processing of the data takes place for direct marketing purposes, we will always honor an objection. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override the Individual’s interests, rights and freedoms or that are – for example – related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform on our compelling interests and the balance of interests made.
- Right to restriction. The right to restriction of processing means that Batavia will continue to store personal data at the request of the Individual or its legal representation but may in principle not do anything further with it. In short, this right can be exercised when Batavia does not have (or no longer has) any legal grounds for the processing of the data or if this is under discussion.
- Automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly impacts the Individual. In this respect, please be informed that when processing the Individual’s data, we do not make use of automated decision-making.
- Right to withdraw consent. This concerns the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to complaint. This concerns the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of the Individual’s habitual residence, place of work or where an alleged infringement took place. Please be referred to the website of the European Data Protection Board (EDPB) for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand.
8.2 How to exercise the privacy rights.
The Individual or its legal representation can exercise the privacy rights free of charge, by phone or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we have the right to either charge a reasonable fee or refuse to comply with the request.
8.3 Verification of identity.
We may request specific information to help us confirm the identity of the Individual or its legal representation before we further respond to a privacy request.
8.4 Follow-up of a requests.
We will provide information about the follow-up of the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months.
9. How can you contact us?
If you or the minor you represent have any questions concerning this Privacy Statement, or data collection in particular, please contact us at email@example.com or via:
Batavia Biosciences B.V.
2333 CL Leiden
+31 (0) 88 9950600
Please let us know by e-mail in advance if you prefer to have further contact over the phone via another preferred language. We will then provide you with the relevant phone number.
We may change this Privacy Statement from time to time to accommodate new technologies, industry practices, regulatory requirements or for other purposes. The latest version can always be consulted via the Website. Important changes will also be communicated proactively.