Processing of personal data

PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA ICOSAGEN AS, ICOSAGEN CELL FACTORY OÜ AND ICOPARK OÜ

I. APPLICATION OF THE PROCESSING OF PERSONAL DATA

1. Icosagen AS, Icosagen Cell Factory and IcoPark OÜ (hereinafter: The Icosagen Group) process personal data, including special categories of personal data in connection with the carrying out of the tasks arising from their objectives and in accordance with legislation applicable to the processing of personal data (General Data Protection Regulation (EU) 2016/679, Personal Data Protection Act). If the data includes personal information concerning natural persons, then this information is deemed to be restricted information and is subject to disclosure only in accordance with legislation. 2. The Icosagen Group processes special categories of personal data, in particular when that data has been collected for the purpose of conducting research or fulfilling employment obligations. 3. When processing data, the Icosagen Group ensures that personal data that has become known to the company is processed only in the manner prescribed by law and the company’s internal procedures, and that the invasion of privacy when processing personal data is minimal. 4. The processing of personal data is governed by applicable legislation, while information technology and organizational security measures are applied within the company to the processing of data, in order to ensure the secure processing of personal data. 5. The location of the Icosagen Group’s personal data processing is Icosagen AS: phone: +372-737-7070; e-mail address: andmekaitse@icosagen.ee, postal address: Eerika tee 1, Õssu küla, Kambja vald, 61713 Tartumaa.

II. AUTHORISED PROCESSING

6. The Icosagen Group involves authorized processors in the processing of personal data, if this is necessary to achieve the purpose for which personal data is being processed. Authorized processors may not use personal data for purposes other than the provision of the agreed upon service.
7. A personal data processing contract shall be entered into with the authorized processor, in which the personal data processing requirements for the authorized processor shall be established.

III. RIGHTS OF THE DATA SUBJECT, PROTECTION OF RIGHTS AND CONTACT DETAILS

8. The data subject has the right to:
8.1. know the purpose for the processing of personal data, the legal basis, the sources and types of personal data, as well as the recipients of the personal data and the term for processing;
8.2. to examine the data that has been collected about him or her within the Icosagen Group;
8.3. request the correction of incorrect personal data. If the Icosagen Group no longer has a legal basis for processing personal data, the person has the right to request that the use of such data be restricted or deleted;
8.4. withdraw consent to the processing of personal data at any time;
8.5. to contact the Icosagen Group in all matters concerning the processing of his or her personal data, by writing to the address andmekaitse@icosagen.ee.
9. In the event that the data subject finds that his or her rights have been violated during the processing of personal data, they have the right to file a complaint with the Estonian Data Protection Inspectorate (Tatari 39, Tallinn 10134, e-mail address: info@aki.ee).
10. In order to exercise his or her rights, the data subject shall submit a corresponding inquiry. The inquiry must be digitally signed or signed by hand in a way that allows for verification of the hand-written signature – the company must be able to establish that the hand-written signature was given by the person who submitted the inquiry. The inquiry shall be answered as soon as possible, but not later than within one calendar month. The response time may vary depending on the content, volume and complexity of the inquiry. The information or data shall be issued to the person having submitted the inquiry in electronic form and encrypted to their personal identification code, unless otherwise stated in the inquiry.
11. The Icosagen Group has the right to refuse to release data, if the release of the information could:
11.1. harm the rights and freedoms of another person;
11.2. impede or prejudice the prevention, detection, prosecution or execution of a punishment;
11.3. otherwise be in conflict with applicable law.
12. If a personal data breach occurs within the Icosagen Group and it poses a probable threat to the data subject’s rights and freedoms, we will notify the Estonian Data Protection Inspectorate of the breach.
13. We will take steps to immediately resolve the breach and prevent any further breaches.
14. If a breach involving personal data is likely to result in a high risk to the rights and freedoms of the data subject, we will also notify the data subject of the breach.
15. The purpose of the notification is to enable the data subject to take the necessary precautionary measures to mitigate the situation.
IV. PURPOSES OF THE PROCESSING OF PERSONAL DATA
16. The purposes of the processing of personal data by the Icosagen Group are:
16.1. conducting research or clinical research, including the conducting of a clinical trial with a medicinal product. We process data related to the organisation of scientific research that has been approved by the Ethics Review Committee on Human Research. In order to participate in scientific research, a person shall give his or her consent, which shall be preceded by informing the person of the purpose of the scientific research and the processing of personal data collected within the course of the scientific research.
16.2. to respond to sent letters, we use the personal data of the data subject to ascertain and respond to the circumstances set out in the letter.
16.3. fulfilment of the obligations and rights of the employment relationship (including job applicants and trainees):
16.3.1. Icosagen Group organizes recruitment competitions and targeted searches to fill job vacancies. Job advertisements are published on the company’s website and all interested parties are given the opportunity to apply for the job. The Icosagen Group has the right to cancel an announced competition or change the terms and conditions of an announced competition by notifying the persons who have submitted an application via their known contact details. If an application for employment is submitted, the candidate is deemed to have given consent to the processing of his or her personal data. Additional information about the candidate
may be gathered from public sources during the recruitment process. The candidate has the right to review the information gathered and to submit any explanations or objections they may have. It is presumed that the candidates have, in their application documents, granted their consent to answer questions about themselves, and that their references have agreed to be contacted in order to obtain information.
Documents collected during the competition will be retained for the following purposes:
- for a period of up to 1 year, to resolve possible legal disputes arising from the recruitment process;
- for a period of up to 2 years, with the consent of the candidate, to make a proposal to participate in a future competition or to make an alternative job proposal. In the Icosagen Group, only persons involved in the recruitment process have access to the collected information. Candidate data is restricted information to which a third party is granted access only in cases provided by law or the organization of work within the company. Information about a person’s participation in the competition is not subject to disclosure.
16.3.2. Personal data is processed within the framework of the employment relationship, with the obligation to process arising from legislation (data for concluding a contract of employment, calculating working hours, paying wages and providing occupational health services).
In addition to the data required by law, personal data necessary for the organization of professional activities and notifications are processed. Employees will be notified separately regarding the processing of their data and, if necessary, the obtaining of consent will be organised. The names, job titles and photos of the members of the management board and employees involved in customer relations will be published on the company’s website.
16.4. the performance of obligations and rights – the Icosagen Group processes personal data in the performance of contracts for the provision of services, authorisation agreements, and contracts for services.

V. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

17. The legal bases for the processing of personal data are:
17.1. the basis provided by law;
17.2. the informed consent of the data subject;
17.3. an agreement entered into with the participation of the data subject;
17.4. legitimate interest in the case of the legitimate interest of a controller or of a third party.

VI. SOURCES OF PERSONAL DATA

18. Sources of personal data in scientific research are those that the person involved in the research or the Ethics Committee for Human Research has authorized for use as sources in the scientific research. The exact data composition of the processed personal data is set out in the application submitted to the Ethics Committee for Human Research and in the informed consent of the person involved in the research.
19. The sources of personal data in the employment relationship are the employee, the persons involved in the employment relationship (in connection with the provision of employment-related services) and public databases.
20. The sources for personal data in an obligation are the information obtained from the performance of the contract and from national databases, if the law provides for their use.

VII. TYPES OF PROCESSED PERSONAL DATA

21. The types of processed personal data are:
21.1. data enabling identification of the person (first name, surname and personal identification code);
21.2. contact details (telephone, e-mail address, and place of residence);
21.3. personal data accompanying the performance of the employment contract, including data verifying education and profession, and data related to the provision of occupational health services;
21.4. other data collected with the consent of employees;
21.5. specific types of personal data according to the purpose of the research (mostly health data).
22. When visiting the Icosagen Group’s website (www.icosagen.ee), the data collected and stored on the data subject is limited to the IP address of the computer or computer network being used by the data subject, the name and address of the Internet service provider for the computer or computer network, and the time of the visit (time, date, and year). The Icosagen Group does not associate IP addresses enabling personal identification and we only use them in a non-personalized form.
23. Security cameras have been installed to protect people and to prevent situations endangering the preservation of property (including information assets), to react to a dangerous situation or to identify the party responsible for causing damage in the event of damage to property. The fact that security cameras are being used is announced with the signs and markings that have been installed on the building upon entering the company’s territory (when entering the car park from Eerika tee).
24. Cameras have been placed on the exterior walls of the building, which transmit images in real time around the clock, record them, and allow them to be processed and played back later. Cameras are not allowed to monitor a specific person, but only a specific area of the yard and the events taking place there.
When processing camera data, we use security measures to protect the collected data from unintentional or unauthorized monitoring, copying, modification, transfer and deletion. Only designated persons have the right to access the camera recordings. Recordings may only be transmitted on a legal basis (e.g. to the police). Camera recordings are stored for a period of 2 months. After the deadline, the data will be deleted automatically by recording over the data.
25. In addition, personal data is also processed upon entering a building when using a door phone intercom, which includes a video call component. The purpose of the processing of personal data is to ensure the security of employees and visitors, to prevent or respond to situations endangering the preservation of property, and to provide operational service (reception) to incoming customers.
26. An overview of the Icosagen Group’s personal data processing operations is summarized in Annex 1 to this Procedure.

VIII. SECURITY OF PERSONAL DATA PROCESSING

27. The Icosagen Group implements appropriate technical and organizational measures for the processing of personal data in order to ensure the secure processing of personal data and to prevent the unauthorized processing of personal data by third parties.
28. Internal control is applied to the processing of personal data.

IX. TRANSMISSION OF PERSONAL DATA

29. Personal data will be transmitted if there is a legal basis. Data will not be transferred to third countries.

X. RETENTION OF PERSONAL DATA

30. Personal data shall be retained in accordance with the terms specified by law or the term specified in the research application and with the consent of the data subject.

XI. ANNEX 1

PERSONAL DATA PROCESSING OPERATIONS

 

Scientific research

Employment Relationship (Employment Contracts Act)

Obligation (Law of Obligations Act)

Purpose of data processing

Conducting clinical scientific research, including conducting a clinical trial of a medicinal product

Fulfilment of obligations and rights arising from the employment relationship.

Personnel records, calculation of wages, occupational health management

Performance of obligations and rights

Basis of data processing

Consent and/or permission from the Ethics Committee for Human Research

Contract of employment and laws (Employment Contracts Act, Occupational Health and Safety Act; Health Insurance Act, Income Tax Act, etc.).

Fulfilment of an obligation arising from law; data collected on the basis of consent and used to coordinate and organize the activities of the enterprise.

Contract and law

(Income Tax Act, Accounting Act, etc.)

Data processing sources

Subjects included in the study

Employees, trainees, job candidates (selected/non-selected candidates),

national databases (employment register)

Persons involved in the performance of contract (authorisation agreement, contract for services) state databases in cases prescribed by law

Description of the types of personal data

Personal data permitted to be collected in the survey (according to the purpose of the survey)

Personnel records, calculation of wages (personnel software), occupational health service data,

contact details published on the website

Contact information, personal identification code, bank account number

 

Categories of recipients to whom personal data have been or will be disclosed

Data processing is performed by employees associated with the survey.

Data will not be transmitted to third parties unless otherwise agreed upon in the study or consent

Data is processed by an authorized employee of the company or an authorized processor who provides accounting, calculation of wages, or IT systems service and equipment maintenance and IT support services, with personal data (including special categories of personal data) becoming known in connection with this. National databases for the fulfilment of duties arising from law

The data is processed by an authorized employee of the company.

In accordance with an obligation arising from a contract or law.

Retention of data

Until the deadline set by the study and agreed upon with the consent.

Until the term provided by law.

Deadline has been set

in the list of documents

The term provided by law, in accordance with the contract or the claim arising from the contract.

The deadline is specified in the list of company documents

Deletion of data

Data shall be deleted after the purpose of the study has been fulfilled and in accordance with the consent of the person

The data shall be deleted after the expiry of the term specified by law

The data shall be deleted after fulfilment of the obligations arising from the contract and the requirements arising from law