SOTIO Data Privacy Framework Privacy Notice

Effective on: 17 March 2025

Introduction and Scope

SOTIO Biotech Inc. (“SOTIO” “we,” “us,” “our”) takes the protection of personal data very seriously. This Data Privacy Framework Privacy Notice (the “Notice”) sets out the privacy principles SOTIO follows with respect to transfers of personal data from the European Economic Area (EEA), the United Kingdom (UK) and Switzerland to the United States.

This Notice is directed at data subjects whose personal data we may receive in connection with the clinical trials (“Trial” or “Trials”) we sponsor. This Notice does not apply to personal data we collect by other means.  

EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework

With respect to personal data processed in the scope of this Notice, SOTIO complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the processing of personal data. SOTIO has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

SOTIO has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. 

To learn more about the Data Privacy Framework, and to view SOTIO’s certification, please visit www.dataprivacyframework.gov/s/ and www.dataprivacyframework.gov/s/participant-search, respectively.

SOTIO is responsible for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. We comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF  for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions.

Dispute Resolution

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, SOTIO commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to VeraSafe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit VeraSafe Data Privacy Framework Dispute Resolution Procedure for more information, or visit the following link https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ to file a complaint. The services of VeraSafe are provided at no cost to you.

Categories of Personal Data and Purposes of Processing

SOTIO follows the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF for all personal information received from the EEA, UK, or Switzerland under the DPF in relation to individual patients (“Participants”) and personnel (“Personnel”) whose personal data we may receive in connection with the Trials we sponsor.

For more information of the types of personal data we may receive in the United States, as well as the purposes for which we collect and use it please read our Clinical Trial Privacy Notice available here.

Controllership

In the context of this Notice, SOTIO acts as a data Controller for the personal data we process.

Data Subject Rights

SOTIO acknowledges the right of EU, UK and Swiss individuals to access their personal data pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and will grant individuals reasonable access to personal information it received pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles. In addition, SOTIO will take reasonable steps to permit individuals to correct, amend, or delete such personal data that is demonstrated to be inaccurate or processed in violation of the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles. An individual may request to access their information, or otherwise correct, amend, or delete their information in line with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles by contacting us at privacy@sotio.com. 

Sharing Personal Data with Third Parties

We share personal data with third parties such as the SOTIO family of companies, including our service providers, who process personal data on behalf of SOTIO. Such third parties include:

• contract/clinical research organization services;
• patient recruitment services;
• laboratory services;
• study oversight, imaging and digital patient services;
• quality assurance, safety and pharmacovigilance software and related services;
• data storage and archiving software and related services;
• data analytics and reporting software and services;
• services related to the collection, storage, testing, and transportation of biological material;
• logistics and transport service providers;
• electronic data capture software and hardware.

We will also share your personal data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, and public government agencies (i.e., National Health Authorities, Regulatory Authorities and Ethics Committees.)

Our service providers and third parties involved in the Trials may be located outside of the United States; however, we will either obtain your explicit consent to transfer your personal data to such third parties, or we will require those third parties to maintain at least the same level of confidentiality that we maintain for such third parties ourselves. SOTIO remains liable for the protection of your personal data that we transfer to our service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.

Other Disclosure of Your Personal Data

We may disclose your Personal Data (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change, or (iii) to our subsidiaries or affiliates only if necessary for business and operational purposes as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data, which does not include any personal data for any legal business purpose, such as analyzing usage trends and seeking compatible advertisers, sponsors, clients, and customers.

If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data.

Access & Review

If you are a data subject about whom we store personal data, you may have a right to request access to, and the opportunity to update, correct, or delete, such personal data. To submit such requests or raise any other questions, please use the contact details available at the “Contact Us” section below.

Choice

You may opt out of having your personal data shared with third parties by us, and you may revoke your consent that you have previously provided for us to share your personal data with third parties, except as required by law. You may also have the right to opt out if your personal data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. To do this, you may send your request to us using the information in the “Contact Us” section below.

Changes to this Privacy Notice

If we make any material change to this Notice, we will post the revised Notice to this web page and update the “Effective” date above to reflect the date on which the new Notice became effective. 

Contact Us

If you have any questions about this Notice or our processing of your personal data, please contact SOTIO:
by email at: privacy@sotio.com
Please allow up to four weeks for us to reply.

EUROPEAN UNION REPRESENTATIVE
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

UNITED KINGDOM REPRESENTATIVE
We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +44 (20) 4532 2003.

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London
SE1 7TL
United Kingdom

DATA PROTECTION OFFICER
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA

Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/
Telephone: +1 (617) 398-7067

Binding Arbitration

If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Data Privacy Framework’s Recourse, Enforcement and Liability Principle and Annex I of the Data Privacy Framework.

U.S. Regulatory Oversight

SOTIO is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.