Effective November 20, 2020
Karuna Therapeutics (also “Karuna”) recognizes the importance of protecting the privacy of the individuals we interact with through our website, direct contact and our clinical research.
This Privacy Notice describes the practices that we follow at Karuna regarding the personal data we collect, use and disclose for different purposes as well as how we ensure this personal data remains protected from the moment we collect it until we dispose of it. We also discuss what rights you have over your personal data and how to contact us when you have questions or concerns specific to the management of your personal data.
What is personal data?
Personal data means any information relating to an identified or identifiable individual; this refers to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Personal data collection and processing at Karuna
We collect and process personal data for different purposes:
- When you contact us. If you send us an email or you call us directly, we collect personal data from you such as your name, email address, phone number and the reason for your communication. We use this data to respond to your inquiry or provide you with the information that you are looking for.
- When you navigate our website. When you visit our website, we automatically collect your IP address, browser type and the pages that you navigate to. We use information about our website visitors to improve our website usability and experience.
- Clinical trials. We do not collect personal data directly from the subjects that participate in our clinical trials. Subject data is collected by the sites that manage the trials that we sponsor. The subject data that we obtain from the sites is pseudonymized, meaning that a subject’s identifiable information is replaced with a code that we cannot link back to that individual.
- Clinical trial site staff and investigators. We collect personal data from these individuals to review their credentials and ensure they are qualified to perform the work related to the clinical trial.
Legal basis for processing personal data
Karuna only processes personal data if there is a legal basis for processing. The legal bases that we rely on are:
- Legitimate interest from you. To provide you with the information you request when you contact Karuna.
- Legitimate interest from Karuna. To provide you with a better navigation experience when you visit our website.
- Explicit consent through the Informed Consent Form that subjects sign prior to joining a clinical trial.
- Legal or regulatory obligation. Karuna needs to ensure that the staff and investigators conducting clinical trials on our behalf have the required qualifications.
Personal data disclosure at Karuna
Karuna discloses personal data to the following parties under specific circumstances:
- To Karuna’s employees in order to fulfill your request.
- To third-party service providers that support or host our systems or support activities related to clinical trials.
- To authorities as required by law, court order, legal process or government or regulatory requirement or to protect the safety, rights, or property of the public or Karuna.
- To an acquirer of all or part of our business, as permitted by applicable law.
Personal data protection
Karuna is committed to protecting the personal data we collect, process and disclose. We maintain appropriate safeguards and take reasonable steps to protect personal data, ensure that we limit its use and disclose it only to the parties that have a legitimate reason to have access to it.
We ensure that all the parties that we disclose personal data to, internal and external to Karuna, have contractual obligations to protect the security and the confidentiality of personal data.
Personal data retention
Karuna retains personal data only for the period of time that is necessary for the purpose for which it was collected.
- For contact requests, Karuna retains the data for 2 years after the request has been fulfilled
- For clinical trials, Karuna will retain personal data for a minimum period of 15 years. This period may be longer depending on legal or regulatory requirements.
- For information collected when you visit our website, please refer to Karuna Therapeutics’ Cookie Notice for further information.
Personal data rights
Subject to any exceptions provided by law, Karuna provides individuals with the right to exercise the following requests with respect to their personal data:
- You have the right to access the personal data that Karuna maintains about you.
- You have the right to request deletion of your personal data, update or correct your data, object to processing of your data, ask us to restrict processing of your data or request portability of your data. On each particular case we will inform you of the consequences of your request and if there are any exemptions to honoring your request based on legal, regulatory or contractual requirements.
- If Karuna has collected and processed your personal data based on your explicit consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing Karuna conducted prior to your withdrawal.
- You have the right to be notified about a data breach that may impact the integrity, availability or confidentiality of your personal data. Refer to our data breach notification section for more details.
- You have the right to complain to a data protection authority about Karuna’s collection and processing of your personal data. However, we would appreciate if you gave us the opportunity to handle your complaint internally before contacting a data protection authority.
In order to exercise any of the rights you have over your personal data, please download and complete the Subject Access Request (SAR) form and email the completed SAR form to the following email address: email@example.com.
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Karuna has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:
Sending an email to firstname.lastname@example.org
Using EDPO’s online request form: https://edpo.com/gdpr-data-request/
Writing to EDPO at Regus Paris- Champs Elysées, 12/14 rond-point des Champs Elysées, Paris, 75008, France.
EU Individuals: Right to lodge a complaint with an EU Supervisory Authority
If you reside in the EU and want to lodge a complaint with a Supervisory Authority (Data Protection Authority) you may do so in the Member State where you reside, where you work or where you may have experienced an issue with the processing of your personal data.
Personal data breach notification
We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Should we learn of a security breach that affects your personal data, we will notify you in order to explain how this breach may affect you and to provide you with any advice on how to protect yourself. We will contact you through the email address we have on file or by posting a notice on our website.
Karuna’s contact information
If you have any further questions about how Karuna collects, uses, discloses or protects your personal data or if you have any questions about this privacy notice, including any requests to exercise your personal data rights, you may contact us at email@example.com.
Personal data transfers
Karuna complies with the EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland. Karuna has certified that it adheres to the Privacy Shield Principles. If there is any conflict between the policies in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshied.gov/list.
With respect to personal data received or transferred pursuant to the EU-US Privacy Shield Framework, Karuna is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
Pursuant to the Privacy Shield Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to them in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to firstname.lastname@example.org. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to email@example.com.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Karuna’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Karuna remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Karuna proves that it is not responsible for the event giving rise to the damage.
On July 16, 2020 the Court of Justice of the European Union issued a judgement declaring the EU-US Privacy Shield framework invalid. Because Karuna is committed to the data protection principles as stated in the GDPR as well as the principles of the EU-US Privacy Shield framework, we will remain an active participant of the framework.
After the ruling from the Court of Justice of the European Union and whenever Karuna performs data transfers from the EU into the US, we will make sure to implement alternative measures that are deemed valid data transfer mechanisms and we will work with partners that follow the appropriate legal, technological and operational frameworks to ensure the validity of data transfers.
If you have any questions about Karuna’s personal data transfers from the EU to the US, you may contact us at firstname.lastname@example.org
EU-US – Swiss-U.S. Privacy Shield Complaint Resolution Mechanism
In compliance with the Privacy Shield Principles, Karuna commits to resolving complaints about your privacy and our collection or use of EU, UK, or Swiss personal data transferred to the United States pursuant to EU-US Privacy Shield. European Union, UK, and Swiss individuals with EU-US Privacy Shield inquiries or complaints should first contact Karuna by email at email@example.com.
Karuna has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
Karuna commits to cooperate with the EU and UK Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by the EU and UK Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner with regard to human resources data transferred from the EU, UK or Switzerland in the context of the employment relationship.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction