EU Privacy Policy

The controller for processing of personal data in relation to our studies and clinical trials (“Studies” or in single cases the “Study”) and on our website https://www.fulcrumtx.com (“Website”) is Fulcrum Therapeutics (“we” or “Fulcrum”), 26 Landsdowne Street, Cambridge, MA 02139, +1 617 651 8851, info@fulcrumtx.com.

In order to be able to carry out the Studies as well as provide the Website we need to process certain personal data. We highly value the protection of those personal data and observe applicable data protection provisions, including those of the General Data Protection Regulation (“GDPR”).

In the course of some of our Studies, we may be involved in processing of personal data together with joint controllers. We will inform data subjects of the identity of the respective joint controllers in the relevant Study and make available to the data subjects the essence of the arrangement with such joint controllers.

This privacy policy (“Privacy Policy”) describes how we process personal data that you provide to us or that we collect about you. In particular, we will inform you in detail which personal data we collect, for which purposes we use them, with whom we share them and which control and information rights you may have.

I. General Information

1. Data Protection Officer and EU Representative

You can address our data protection officer (“DPO”) for the European Union using the following email address: DPO@fulcrumtx.com.

The EU Representative pursuant to Art. 27 of the GDPR is: Rivacy GmbH, Hammerbrookstraße 90, 20079 Hamburg, Germany.

2. Definitions

Personal data” means any information relating to an identified or identifiable natural person. This includes your email address, name, user behavior, etc.

Processing” means any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means (such as their collection or storage).

3. Data security

Taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for your rights and freedoms, we take appropriate technical and organisational measures in accordance with Art. 32 of the GDPR to ensure a level of protection appropriate to the risk.

4. Retention period

4.1  We will retain your personal data only as long as necessary to attain the purpose of their processing as described herein. We will delete them afterwards unless we are legally entitled or obliged to retain them further. Regarding the Studies, we will inform you of the particular retention periods applicable to the Study-specific processing of personal data.

4.2  After the end of a Study, your personal data may also be of importance for other scientific research in subjects related to the Study. According to your prior approval and the local ethical committee approval in this regard, we may use your data and bodily material to perform other scientific research. In that case, we will inform you of such further processing of your personal data. If the information is anonymized (i.e. that you are not identifiable from the information) we may use such information for other scientific research with the proper approval of the ethical committee.

5. Your rights

You have the right

  • to access your personal data processed by us;
  • to rectify your personal data if inaccurate;
  • to erase personal data concerning you (‘right to be forgotten’);
  • to restrict the processing of personal data;
  • to receive your personal data processed by us in a structured, commonly used and machine-readable format where the processing is based on consent or with regard to a contract relationship with you (‘right to data portability’).
You also have the right to object to the processing of personal data concerning you where the processing of personal data is based on Art. 6(1)(f) of the GDPR on grounds relating to your particular situation.

 

You may exercise these rights by contacting us through the contact information above.

You always have the right to lodge a complaint with a supervisory authority.

6. Contacting us

If you contact us (e.g. via our contact information mentioned above), we process the personal data you have provided (e.g. your name and e-mail address) in order to answer your questions (Art. 6(1)(f) of the GDPR).

II. Studies

Our goal is to develop new medicines to deliver a new future for patients and their families by transforming gene regulation in genetically defined diseases. Before a new drug is ready for the market, it needs to be tested. In order to do so and to assess potential risks and benefits for patients, we carry out a broad range of Studies.

As part of these Studies, we process personal data as described in this section II.

1.  Categories of personal data and data subjects

1.1   Usually, the participants in our Studies (“Participant(s)”) are patients that suffer from the condition we try finding a cure or medicine for, which can ease the impairments they are suffering from. Depending on the specific Study, we also allow enrollment of healthy Participants. We inform the Participants of such eligibility criteria before we carry out the respective Study.

1.2   Depending on the specific Study, we process the following categories of personal data of the Participants:

  1. General Participant information (i.e. first name, last name, address including country of residence, telephone number, email address, birth year, sex/gender, childbearing potential [for females only], ethnicity, race, hand dominance, employment, education);
  2. Type and stage of the disease the Participant is suffering from or whether he or she is a healthy volunteer;
  3. Genetic confirmation of disease (if applicable);
  4. Medical and surgical history (i.e. date of diagnosis, treatment approaches, dates for start and stop of treatments, whether ongoing or not);
  5. Condition the Participant is in before the Study has started and during the Study regarding general health and lifestyle (blood pressure, pulse rate, respiratory rate, temperature, height, weight, body mass index, ECG values, perceived well-being, any abnormalities found on medical history and physical examination are recorded);
  6. Condition the Participant is in before and during the study regarding their disease under investigation, if applicable (for example, presence and severity of functional impairment and disability, signs and symptoms, impact on daily life and activities, etc.);
  7. Period in which the Study is carried out (including start and end date), site, and information whether Participant took part in the study, completed the study, or screened failed;
  8. Study phases that have been carried out with the Participant;
  9. Primary purpose of the Study (e.g., treatment, supportive care) and treatment chosen for that purpose;
  10. Test methods and procedures (details to be provided with regard to the specific Study);
  11. Fluid or tissue sampling method (e.g., blood, urine, muscle) and sample data (details to be provided with regard to the specific Study);
  12. Dates and times of collection of blood and/or urine or other specimens such as tissue samples;
  13. Attendance times to the clinic and times under evaluation;
  14. Specific Drug candidates under evaluation or placebos dispensed and taken during the Study and specific doses received and compliance with the assigned treatment;
  15. Occurrence and reported side effects, if any, their severity and estimated relationship to administered study treatment or study procedures, actions taken, outcome;
  16. Study results (i.e. how Participants have reacted to tested treatments, interventions or natural history of the condition, when applicable);
  17. Concomitant medications taken during the study, with start date, stop date, dose, frequency and route of administration, indication, adverse events (if any).

We will inform all Participants in each Study of which of their personal data we process.

6.2   We also may process additional or different personal data if the respective Study requires so. In this case, we inform the Participant respectively before processing such data in the respective Study.

6.3   If there is no more slot available to participate in one particular Study, we may put a Participant under our full discretion on a stand-by list in case another Participant can no longer participate in the Study.

2. Purpose of the processing of personal data

The reason why we process personal data is our main goal: We want to make a positive impact in the lives of patients and families impacted by severe disease. For each Study, we are working closely with patient groups who we consider partners in our search to better understand the disorders they suffer from and to develop breakthrough medicines. For every Study we start, we regard partnership with patient groups as essential to our work.

Our unique and differentiated approach addresses the genetic cause of disease. In our initial efforts, we will be focusing on monogenic diseases that arise due to a faulty regulation of a single gene. This approach leads us to the questions we need to ask, the tests and trials we need to carry out and thus, to the personal data we need to process.

7.  Legal basis of the processing

As much of the personal data we process as part of our Studies must be considered special categories of personal data according to Art. 9 of the GDPR, we generally process these data based on the respective Participant’s informed consent (Art. 6(1)(a) and Art. 9(2)(a) of the GDPR).

Where the member states of the European Union have made use of their competence to provide for an additional justification and/or additional requirements for the processing of special categories of personal data, we may process the respective data based on such additional legal basis.

8.  Encoding of personal data

A code is assigned to each Participant. This code serves as a reference where we do not process plain names along with Study insights or results. Nonetheless, we store the codes in case we need to identify a Participant for safety or regulatory reasons, e.g., in light of the results of the Study.

9.  Transfers of personal data

9.1 Depending on the respective Study, we may transfer encoded personal Participant data, either raw data or analysed data, either along with the Participant’s code identity or without it, to particular recipients, e.g., regulatory agencies, vendors, payor agencies, scientific advisors, consultants, at scientific meetings, with patient groups, and in publications. Those recipients may act as processors, joint or separate controllers in the specific case or be entitled to receive the relevant data by law. We will inform the Participants of such transfers.

9.2   Study results are prepared into clinical study reports (“CSRs”) that are stored in the company servers. The CSRs only contain aggregated data and can be used for regulatory submissions.

9.3   Results of Studies are presented using aggregated data only (without reference to the code or any other clear identifier) within Fulcrum, to investors, patient groups, scientific and clinical advisors, and as posters and publications. They are also posted in the clinicaltrials.gov portal or other clinical trial registries as required. Sometimes key study results are reported in press releases.

9.4   Fulcrum never shares identifiable data of the Participants unless required by applicable law.

9.5   If we need to share personal data of the Participants with other parties involved in the specific Study for a particular Study-related purpose, we will inform the Participants before we begin with the Study.

III. Processing in connection with our Website

In connection with our Website, we process personal data as described in this section III.

1. Processing of personal data when using the Website for informational purposes

When you visit the Website for informational purposes without providing personal data actively by using a particular function of the Website your browser transmits personal data to our server by using log files. These log files transmit the following information to us:

  • IP address
  • Date and time of visit
  • URLs of pages visited
  • Number of pages visited
  • Last activity date and time
  • Referral website and information
  • Type, language and version of browser
  • Device ID

We process these personal data in order to allow the use of our Website (e.g., by adapting our Website to the requirements of your device). The legal basis for this processing of personal data is Art. 6(1)(f) of the GDPR, as the recording of the data serves our legitimate interest in ensuring the stability and security of the Website.

10. Processing of personal data when contacting us

When you contact us in connection to a contractual relationship with us, we process your personal data (such as your email address or telephone number, as well as your specific concern), to address your concern, answer any questions, or provide general information with regard to our services. The legal basis for this processing is Art. 6(1)(b) of the GDPR.

When you contact us as a third party with no connection to any (potential or future) contractual relationship (e.g., along with a complaint or with regard to a specific clinical trial, a drug in development or a particular disease), we process the personal data you disclose to us (such as your email address or telephone number, as well as your specific concern) to answer your questions or remedy your complaint. The legal basis for this processing is Art. 6(1)(f) of the GDPR, with our legitimate interest being to respond to your request.

11. Cookies

We use cookies on our Website. Cookies are small text files that are stored on your device. Some cookies serve to store preferences and are deleted after the end of the browser session, i.e. after closing the browser, so-called session cookies. Other cookies serve to adapt the Website to user needs and remain on the end device, so-called persistent cookies.

In your browser settings, you can allow cookies for individual cases, limit the acceptance of cookies to certain cases or generally exclude them and activate the automatic deletion of cookies when closing the browser. If you deactivated the use of cookies, the functionality of this Website may be restricted.

We use the cookies listed below on our Website:

Cookie identifier Provider Purpose Storage period Opt-out
_ga (Google Analytics) Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043 USA Stores information on the Website activities of the user 2 years https://tools.google.com/dlpage/gaoptout?hl=de

 

11.1 Google Analytics

We use functions of the web analysis service Google Analytics on our Website. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google Analytics uses cookies (see above). The information generated by the cookie about your use of this Website is transferred to a Google server and stored there. We have activated the IP pseudonymization function on this Website. As a result, your IP address will be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area prior to transmission to the USA. Only in exceptional cases the full IP address will be transmitted to a Google server in the United States and truncated there. On our behalf, Google will use this information for the purpose of evaluating your use of this Website, compiling reports on website activity and providing other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.

We have concluded a data processing agreement with Google. Data transmission therefore is privileged in accordance with Art. 28 of the GDPR.

For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Google Analytics cookies are stored based on (and only after you gave) your consent, Art. 6(1)(a) of the GDPR. You may withdraw your consent at any time [by clicking here]. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

11.2   Google Search Console

We use the Google Search Console to monitor the Website technically for possible errors. The Google Search Console is a free service from Google that allows us to monitor and manage our presence in the Google search index. It gives us access to much of the data and information Google has about our Website. With regard to data protection, the use of the Google Search Console is harmless, because no user or tracking data is transmitted from our Website to Google, but we only receive data from Google about our web presence.

11.3   Google Web Fonts

This Website uses so-called web fonts, which are provided by Google, for the uniform representation of fonts. The provider is Google. When you access a website, your browser loads the web fonts you need into its browser cache to display text and fonts correctly.

For this purpose, the browser you are using must connect to Google’s servers. This will enable Google to know that your IP address has been used to access our Website. The use of Google Web Fonts is in the interest of a uniform and appealing presentation of our online services. This represents a legitimate interest within the meaning of Art. 6(1)(f) of the GDPR. If your browser does not support web fonts, a standard font will be used by your computer.

12. Google Maps

We have embedded the map service “Google Maps” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”) into our website. We use a link between Google Ireland and our website. This means that when you visit our site, initially no personal data is passed on to Google Ireland.

Google Ireland only receives the information that you have accessed the map from our Website when you click on the embedded map. If you are logged in to Google, your personal information will be directly associated with your Google Account. If you do not want your interaction with Google Maps to be associated with your Google Account, you will need to log out before viewing the map.

We will transfer your personal data within the scope of the use of Google Maps based on your consent. The processing therefore is based on Art. 6(1)(f) of the GDPR. Our legitimate interest is to provide you with a map on our contacts page.

You will find further information on the purpose and scope of the processing of personal data by Google and Google Ireland in their privacy policy (https://policies.google.com/privacy?hl=en&gl=en). There you will also find further information on your rights in this regard and browser setting options to protect your privacy.

1. Transfer of personal data to third parties

Except in the cases mentioned in this Privacy Policy, your personal data concerning the Website will not be disclosed to third parties. Personal data may be disclosed to third parties who act on our behalf to process the personal data in accordance with its original purpose, such providing technical support or answering questions. These third parties are contractually obligated by us under statutory designated agreements to use personal data only for the agreed purpose or not to disclose your personal data to other parties without permission, unless required by law.

We transfer your personal data processed through to countries outside the EU and the EEA (so-called third countries), in particular to the USA. If so, we will ensure that the specific requirements of Artt. 44 ff. of the GDPR are met. You may contact our DPO to obtain a copy of the appropriate or suitable safeguards.

 

This Privacy Policy was last updated 25 July, 2019.