Privacy Notice

This Privacy Notice (“Privacy Notice”) for Cinclus Pharma Holding AB company reg. no. 559136-8765, and its subsidiaries, (“Cinclus Pharma”, “we”, “us”, “our”), describes how Cinclus Pharma in its capacity of data controller collects, stores and processes your personal data. The Privacy Notice further describes our legal bases for the processing, how it affects you and how to exercise your rights.

We collect and process personal data provided by you in different contexts such as when you apply for a job or as being an employee at Cinclus Pharma. Furthermore, we collect and store personal data about you as a shareholder, investor, supplier contact person or as another stakeholder.

Our principles

Cinclus Pharma conducts business within the development and commercialization of pharmaceuticals and acquisition and exploitation of intellectual property rights.

Cinclus Pharma finds that the processing of personal data in accordance with applicable rules and legislation is of high importance in order to maintain the trust of suppliers and investors as well as the trust of other stakeholders and people we are in contact with. Protection of the integrity of the individual is crucial to maintain their trust and to develop the long-term relationships we strive for. The management of Cinclus Pharma is ultimately responsible for ensuring that your personal data is processed in accordance with applicable rules and legislations, in a way that preserves and respects the interests of the individual.

The personal data that we collect

Cinclus Pharma collects personal data in order to fulfill contractual obligations with our suppliers, but also in order to be able to contact job applicants, employees, investors, shareholders and other stakeholders. Some of the information is provided to us directly through e-mail contact, the form on our website, through LinkedIn or during the course of business related relationships. We may also collect information from third parties. Such third-party sources may vary from time to time, but have previously been including:

  • Authorities

  • Banks

  • Legal representatives

  • Credit reporting services

  • Staffing- and recruitment companies

What kind of information we collect, depends on the context of your interactions with Cinclus Pharma and the nature of our relationship.

We also collect and store information that you have provided through messages that you sent us such as the overall content of the message, feedback and questions.

If we intend to use your personal data for any other purpose, beyond what has been set out in this Privacy Notice, we will inform you prior to, or in connection with, the collection of that personal data. We will also ask for your permission or, where applicable, your consent.

Alternatively, such permission will be required after collection of personal data but prior to the use of the information for the new purpose.

Purposes and legal bases for our processing of personal data

The purposes and legal bases for our collection and processing of your personal data depend on the context of your interactions with Cinclus Pharma and the nature of our relationship.

Investors, shareholders, supplier representatives and other business partners

Purpose: We process your personal data in order to administer the relationship with our investors, shareholders, suppliers and other business partners.

Legal basis: The personal data is processed by Cinclus Pharma based on a balancing of interests (Article 6(1)(f) GDPR). Cinclus Pharma has a legitimate interest in being able to maintain business contacts with investors, shareholders, suppliers and other business partners. We may also process your personal data in order to fulfill our legal obligations (Article 6(1)(c) GDPR), for example the Swedish Accounting Act (Sw. Bokföringslagen).

Recruitment – job applicants

Purpose: We process your personal data in order to find, hire and pre-board suitable candidates to Cinclus Pharma.

Legal basis: The personal data is processed by Cinclus Pharma based on a balancing of interests (Article 6(1)(f) GDPR), since Cinclus Pharma has a legitimate interest in recruiting employees.

Employees

Purpose: We process your personal data for the purpose of operating Cinclus Pharma’s business and for human resource management.

Legal basis: Basic personal data such as social security number and payroll details are processed in order for Cinclus Pharma to fulfill your employment agreement (Article 6(1)(b) GDPR) and to comply with Cinclus Pharma’s legal obligations (Article 6(1)(c) GDPR). Certain types of personal data are processed on the basis of Cinclus Pharma’s legitimate interests (Article 6(1)(f) GDPR). This may include personal data processed for career development, training and operations of IT systems. Sensitive personal data including information regarding your health and trade union membership will only be processed to the extent necessary for Cinclus Pharma to comply with its obligations or exercise its rights within employment or social security laws (Articles 6(1)(c) and 9(2)(b) GDPR).

Communications

Purpose: We process your personal data in order to answer questions received through email or contact forms.

Legal basis: The personal data is processed by Cinclus Pharma based on a balancing of interests (Article 6(1)(f) GDPR), since Cinclus Pharma has a legitimate interest in responding to question and providing information on its business.

Reasons we share your personal data

In some cases, it may be necessary to share your personal data with other actors performing services on our behalf in order to conduct our business in an effective way. This may apply e.g., by the use of systems for handling emails, consent management tools or hiring a recruitment agency when recruiting new staff members.

In the case of sharing your personal data with others, we have ensured that such parties comply with our data protection requirements and are subject to prohibition of using the information for other purposes.

We may also need to disclose or store your personal data, when deemed necessary in order to fulfill certain obligations such as:

  • To comply with applicable legislation or to proceed in a legal process. This includes providing information to the police, the Swedish Tax Agency and other authorities.

  • To protect our suppliers and employees e.g., to prevent spam mail and fraud attempts.

  • To manage and maintain the security of our products and functions, including preventing or stopping an attack on our systems and our networks.

Please note that our website may contain links to products or platforms from a third party whose data protection notice differs from ours, e.g., LinkedIn or Piwik. If you provide your personal data through such products or platforms, your personal data will be subject to, and processed in accordance with, their privacy notice.

How to access and control your personal data

Information on how to administer your rights according to applicable data protection legislation can be found under the section named “Contact us”.

Your individual rights

Cinclus Pharma complies with applicable data protection legislation, including (where applicable) the following rights:

  • You have the right to request information if Cinclus Pharma processes personal data about you, and to receive a copy of your personal data processed by us. If you want to read more about the right of access – please see here.

  • You have the right to request correction of inaccurate personal data that we hold about you. You also have the right to ask us to complete incomplete data if this is relevant based on the purposes for which your data are processed, by providing us with additional information. If you want to read more about the right to rectification – please see here.

  • Under certain conditions you may request erasure of your personal data. For example, you may have the right to have your data erased if it is no longer necessary for the purposes for which it was collected. However, the right to erasure is not absolute and it may not always be possible to erase personal data on request, for example, when the data is still necessary to process for the purpose for which the data was collected or because we have a legal obligation to keep it. If you want to read more about the right to erasure – please see here.

  • You have the right to object to the processing of personal data that is subject to the legal basis of our legitimate interests. If you object, we do not have the right to process the data anymore, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if it is needed for the establishment, exercise or defense of legal claims. You can also object to your personal data being processed for marketing purposes. If you do so, we will stop sending marketing messages to you. If you want to read more about the right to object – please see here.

  • You have the right to request that the processing of your personal data should be restricted, for example if you do not think that the information we have about you is correct or if you believe that the processing is unlawful. If you want to read more about the right to restriction – please see here.

  • You have the right to make complaints to a supervisory authority. The Swedish Authority for Privacy Protection (IMY) is the authority in Sweden that supervises how companies, including us, comply with the legislation. If you want to read more about the right to lodge a complaint – please see here.

  • If the processing of personal data is subject to your consent as legal basis, you have the right to withdraw your consent at any time in regard to the processing of your personal data.

  • You have the right to data portability, meaning that you have the right to request us to disclose your personal data in a structured format. Please note that this right only applies to personal data subject to the legal bases of i). your consent or ii). an agreement that you have entered into with us. If you want to read more about the right to data portability – please see here.

Security of your personal data

Cinclus Pharma uses a range of security techniques and measures to protect your personal information from unauthorized access, unwanted change and loss of data; e.g., personal data that you enter is stored on computer systems that have limited access and are located in protected premises.

The location of storage and processing of personal data

The personal data, processed by Cinclus Pharma, may be stored and processed in the region of your habitual residence, in Sweden, or other countries where Cinclus Pharma, our partners or suppliers are conducting business. We take action to ensure that the information we collect is processed in accordance with this Privacy Notice and in accordance with the provisions of applicable legislation of the location of the personal data.

In case of transfer of your personal data to a data controller or data processor, due to circumstances explained under “Reasons we share your personal data”, located in a third country, i.e., a country outside of EU/EES, we will enter into an agreement and take other actions in accordance with applicable data protection regulations. Where we transfer your data outside the EU/EES we will do so on the basis of: (i) an adequacy decision by the European Commission; (ii) standard contract clauses; or (iii) another valid transfer mechanism under the GDPR and, if necessary, we will use additional safeguards such as encryption. You may, at any time, request further information regarding such transfers and request copies of agreements or other safeguards used by Cinclus Pharma for such transfers– please see the contact details under the section named “Contact us” below.

Our preservation of personal data

Cinclus Pharma preserves personal data as long as necessary to respond to inquiries, maintain relationships with suppliers, shareholders and other stakeholders, or for other necessary purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements. Since these needs may vary for different types of data and contexts, actual retention periods may vary. In summary the following can be said:

  • Information on contact persons of suppliers is stored up to one year after the end of the contractual relationship, but please note that the name of the contact person still may appear in the invoice documentation stored in accordance with applicable accounting legislation.

  • Information received by Cinclus Pharma, by e-mail or website form, is deleted when it is established that there is no need for further follow up on the matter.

  • Contracts are stored for a period of ten years after the completion of the assignment, in order to secure the legitimate interest of Cinclus Pharma in regard to defending itself against various types of legal claims.

  • Invoices and other information relating to the accounts are stored for seven years after the ending of the financial year in accordance with the Swedish Bookkeeping Act or for subsidiaries outside of Sweden in accordance with local similar Acts.

  • Salary bases are stored up to seven years after the ending of the financial year in accordance with the Swedish Bookkeeping Act. For subsidiaries outside of Sweden in accordance with local similar Acts. Other information on employees is stored during the term of the employment and some information is stored up to ten years after termination of employment where necessary for compliance or administrative purposes, e.g. for pension payments, providing references to other employers or for exercising or defending legal claims.

  • Applications from job applicants are stored as long as deemed necessary for the recruiting process and thereafter for a time period of two years, in accordance with the Swedish Discrimination Act (sw. Diskrimineringslagen).

  • Information on investors and shareholders are stored in accordance with time periods set in the Swedish Companies Act (sw. Aktiebolagslagen).

Cookies and similar technologies

When visiting our website, Cinclus Pharma, or a trusted third party, may store cookies on your device for the purpose of improving your user experience. Cookies that are essential for the website's appearance and functionality (Umbraco, MFN token and Recaptcha) will be stored automatically. Storage of other cookies will require your consent (Fontawesome and perseverance of the consent itself, which is managed by the third party tool Piwik. For information about their personal data processing, please see their privacy notice).

The storage times for the specific cookies are as follows:

Fontawesome: 12-24 months
Umbraco UMB_MCULTURE: 13 months
Umbraco UMB_UPDCHK: Session cookie
Cookie consent: 13 months
RECAPTCHA: 4 months
MFN: Session cookie

Cinclus Pharma’s website does not contain cookies for tracking, statistics or marketing purposes.

Changes to this Privacy Notice

This Privacy Notice will from time to time be subject to changes in order to reflect our user feedback and changes to our business. When an update is made, the date for the latest update will be stated at the top of the Notice and the changes will be further described in the section “Change history”.

If the Privacy Notice is subject to major changes, or changes are made in the way Cinclus Pharma processes your personal data, you will be noticed through our website or by receiving an email prior to the effective date of the changes.

Please read this Privacy Notice from time to time, to keep yourself informed on how we protect your personal data and integrity.

Contact us

If you have any questions, or for other reasons want to contact us regarding privacy matters, please contact our Data Protection Coordinator, by sending an e-mail to gdpr@cincluspharma.com.

Change history

May 2018: Clarifications due to the new data protection regulation (General Data Protection Regulation, “GDPR”) entered into force May 25, 2018. The updated Privacy Notice will automatically enter into force for all current users and visitors on May 25, 2018. Your continued use of our products and services, from that day, will be subject to the new Privacy Notice. The Privacy Notice has also been adjusted and adapted in order to be concise, clear, distinct and comprehensible and in that way easier to understand.

May 2022: Additional updates and changes for the purpose of making the Privacy Notice more clearly reflect how we conduct our business and how we during that process, handle personal data, your rights and how you may exercise your rights, transfer of personal data to third countries.

October 2022: Update regarding the implementation of third-party tool for obtaining and storing cookie consent.

April 2023: Additional updates and changes for the purpose of making the Privacy Notice more clearly reflect how we conduct our business and how we during that process, handle personal data, your rights and how you may exercise your rights, transfer of personal data to third countries.