1. Introduction

The protection of Personal Data is important to us. Aragen is committed to conducting its business in accordance with applicable data protection regulations and in line with the industry standards of ethical conduct. This Privacy Policy (“Policy”) sets forth the organizational intent and data protection principles which shall be followed by all Aragen entities in its processing and protection of Personal Data.
Aragen is fully committed to ensuring continued and effective implementation of this policy, and expects all Aragen employees and third parties to share in this commitment.

2. Scope

This Policy applies to all Aragen entities where a data subject’s Personal Data is processed:

  • In the context of the business activities of the Aragen entity.

This Policy applies to all processing of Personal Data either in electronic form or where it is held in manual files that are structured in a way that allows ready access to information about individuals. Wherever the context requires in this Policy, Personal Data shall be interpreted to also include sensitive Personal Data.
This policy has been designed to establish a worldwide baseline standard for the processing and protection of Personal Data by all Aragen entities. All inquiries about this Policy can be directed to data.protection@aragen.com.

3. Governance
3.1 Privacy Organization

Data subject concerns shall be addressed and their rights related to information access; objection to processing, automated decision-making and profiling; restriction of processing; data portability; data rectification; and data erasure shall be upheld through an internal data protection office.

If an individual makes a request relating to any of the rights above, Aragen shall consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/ or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. This demonstrates our commitment to data protection and it shall enhance the effectiveness of our compliance efforts.

3.2 Policy Dissemination & Enforcement

The management team of each Aragen entity must ensure that all Aragen employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.
In addition, each Aragen entity will make sure all third parties engaged to process Personal Data on their behalf are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all third parties, whether companies or individuals, prior to granting them access to Personal Data controlled by Aragen.

3.3 Compliance Monitoring

To confirm that an adequate level of compliance is being achieved by all Aragen entities in relation to this policy, the Organization will carry out periodic Data Protection compliance audits for all such entities. Each audit will, inter alia, assess:

  • Compliance with Policy in relation to the protection of Personal Data, including:
    • The assignment of responsibilities
    • Raising awareness
    • Training of Employees
  • The effectiveness of Data Protection related operational practices, including:
    • Data Subject rights
    • Personal Data transfers
    • Personal Data incident management
    • Personal Data complaints handling
  • The level of understanding of Data Protection policies and Privacy Notices
  • The currency of Data Protection policies and Privacy Notices
  • The accuracy of Personal Data being stored
  • The conformity of third party activities
  • The adequacy of procedures for redressing poor compliance and Personal Data breaches.
4. Data Protection & Privacy Principles

Aragen has adopted the following principles to govern its collection, use, retention, transfer, disclosure, and destruction of Personal Data.

  • Purpose Limitation: Personal Data shall only be collected and processed for specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Lawfulness, Fairness, and Transparency: Personal Data shall be processed lawfully, fairly, and transparently, regardless of the source of Personal Data collected.
  • Data minimization: Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. No Personal Data shall be stored beyond what is strictly required.
  • Accuracy: Personal Data shall be accurate and kept up-to-date as per the instructions of the data subjects.
  • Storage Limitation: Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed.
  • Integrity and confidentiality: Personal Data shall be processed in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
  • Accountability: Aragen must demonstrate that the principles outlined above are met for all Personal Data for which it is responsible.
5. Data Protection & Privacy Measures

In pursuance of the above principles, Aragen abides by the following measures.

  • Privacy by design: All data protection requirements shall be identified and addressed when designing new systems or processes and/ or when reviewing or expanding existing systems or processes. Protection Impact Assessment (DPIA) shall be conducted, for all new and / or revised systems or processes. The impact of any new technology uses on the security of Personal Data shall be assessed.
  • Training: All employees shall be given appropriate training regarding implementation of data protection policies of the Company.
    Data collection: Personal Data may be collected from related data subjects unless the nature of the business purpose necessitates collection of Personal Data from other persons. If Personal Data is collected from someone other than the data subject, the data subject shall be informed of the collection. In all cases where notices are required to be issued to the data subject, these shall be issued promptly.
  • Data subject notification: Aragen shall, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their Personal Data, by way of a notice, and obtain consent only where the legal basis of processing Personal Data is consent.
  • Data processing: Aragen shall use Personal Data for the broad purposes of general running and administration of Aragen entities, to provide services to Aragen’s customers, and the ongoing administration and management of customer services. Aragen shall process Personal Data in accordance with all applicable laws and contractual obligations.
  • Data retention: To ensure fair processing, Personal Data shall be retained only for as long as necessary to fulfil the purposes of collection or as required by applicable laws. All Personal Data shall be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
  • Data transfer: Aragen entities may transfer Personal Data internally or to third party recipients. In order for Aragen to carry out its operations across its various entities, there may be occasions when it is necessary to transfer Personal Data from one entity to another, or to allow access to the Personal Data from an overseas location. Each Aragen entity will only transfer Personal Data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. An approved transfer mechanism with adequate safeguards shall be used in all such cases.
  • Data access: Access to Personal Data shall be granted only to authorized employees. Such access shall be suitably granted, modified, and revoked in line with the employee lifecycle and access management requirements.
  • Data protection: Each Aragen entity shall adopt physical, technical, and organizational measures to ensure the security of Personal Data. Further, adequate safeguards in the form of contractual clauses and data transfer agreements shall be included when transferring Personal Data across jurisdictions or to any third party. In all cases where Aragen entities are processing Personal Data as a data processor, the data shall be processed only in accordance with the instructions of the data controller.
  • Data quality: Aragen shall adopt all necessary measures to ensure that the Personal Data it collects and processes is complete and accurate in the first instance, and is updated to reflect the current situation of the data subject as notified by such subject.
  • Breach reporting: Any individual who suspects that a Personal Data breach has occurred due to the theft or exposure of Personal Data shall immediately notify the internal Privacy Organization on data.protection@aragen.com. The Privacy Organization shall record and investigate all reported incidents to confirm whether or not a Personal Data breach has occurred. If confirmed, the Privacy Organization shall follow the procedures prescribed in the Personal Data Breach Management Guideline based on the criticality and quantity of the Personal Data involved, to notify the relevant supervising authority and the affected data subjects within prescribed timelines.
  • External privacy notices: Each external website provided by an Aragen entity shall include an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law. All privacy and cookie notices must be approved by the Privacy Organization prior to publication on any Aragen external website.
  • Law Enforcement Requests and Disclosures: If any Aragen entity receives a request from a court or any regulatory or law enforcement authority for information relating to an Aragen contact, the data subject shall be immediately notified.
  • Complaint handling: Data subjects with a complaint about the processing of their Personal Data, should put forward the matter in writing to the Privacy Organization. An investigation of the complaint shall be carried out to the extent that is appropriate based on the merits of the specific case. The Privacy Organization shall inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the issue cannot be resolved through consultation between the data subject and the Privacy Organization, the data subject may then, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable jurisdiction.
6. Publication Policy

This policy shall be available to all Aragen employees through Aragen’s policy portal (intranet.aragen.com) or via alternative means as deemed appropriate by the Privacy Organization.

6.1 Revisions

Aragen reserves the right to update this Policy at any time. Any updates shall be made available via means deemed appropriate, in most cases through an email and/ or publication on Aragen’s website and intranet portal.

Glossary

TermsDefinition
AragenAragen Life Sciences Private Limited, its subsidiaries.
Data ControllerAn organization that handles Personal Data and makes decisions about its use.
Data ProcessorAn individual or organization that processes data on behalf of the data controller. Although they are often third-party providers, a data controller can also be a data processor.
Data Protection Impact Assessment (DPIA)An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
Data SubjectThe individual about whom information is being processed.
NoticeA statement made to a data subject that describes how the organization collects, uses, retains and discloses Personal Data.
ProcessingAny operation or set of operations which is performed on Personal Data, such as collecting; recording; organizing; storing; adapting or altering; retrieving; consulting; using; disclosing by transmission, dissemination or otherwise making the data available; aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.
Personal DataAny information relating to a natural person, which could be used for identifying such person, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
Sensitive Personal DataSuch Personal Data which consists of information revealing the data subject’s medical, financial, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.