Personal Data Collection

Ultragenyx wishes to collect, use, process and store (collectively “Processed”, “Processing” or “Process”) information about healthcare professionals (“HCPs”) relationship with Ultragenyx. We refer to such information as “Personal Data”. This Privacy Notice for HCPs (“Notice”) describes how HCPs Personal Data will be Processed by Ultragenyx Pharmaceutical, Inc. with offices at 60 Leveroni Court, Novato, CA 94949, United States of America and its Affiliates worldwide (collectively referred to as “Ultragenyx”), that is the data controller of the Personal Data that is Processed for any of the purposes described in this Notice.

We collect Personal Data (i) from each HCP as well as (ii) from other sources. In relation to point No. (i), HCPs Personal Data are mainly provided by the same HCPs during visits or meetings that they may have from time to time exclusively with authorized Ultragenyx personnel; in relation to point No. (ii), HCPs Personal Data may be collected from registers, professional registers, public lists or scientific databases and web sites or from third parties authorized by the same HCPs to communicate such data, or as specifically provided below, under the “Purposes and Legal Bases of Personal Data Processing” section.

Purposes and Legal Bases of Personal Data Processing

Under data protection laws, Ultragenyx must have a legal basis to Process HCPs Personal Data. The legal basis that applies in a particular instance will depend on the specific purposes for which Ultragenyx is Processing HCPs Personal Data. Ultragenyx will Process HCPs Personal Data for the following purposes:

a) Communicating other information that Ultragenyx believes in good faith may be of interest to the recipient HCP

Ultragenyx collects and uses HCPs information to communicate with them via e-mail, call centers, postal mail and other channels. These communications may include promotional material about Ultragenyx products and services, as well as non-promotional material about relevant diseases where Ultragenyx is active. The Personal Data we may collect in this regard includes:

  • Information that directly identifies the concerned HCP, such as family name, first name;
  • Contact details, including email addresses and phone numbers, address of residence and address of registration at the place of residence; professional phone contact; home and mobile phone numbers, and other contact information, including personal professional e-mail addresses, as well as any other information provided by HCPs in their request.

The legal basis for this processing is our legitimate interest in promoting our business activities and communicating with individuals who have shown interest.

b) Keeping track of our interactions with HCPs, both online and offline

Ultragenyx collects and uses HCPs information, such as communication records and interaction history, which may include details of HCPs inquiries, direct communications, or other forms of interactions with our websites or events. The Personal Data we may collect in this regard includes:

  • Information that directly identifies the concerned HCP, such as family name, first name, patronymic; date of birth; gender; place of birth; nationality; passport details (including series, number, date of issue, photo and sample of signature), if necessary;
  • Contact details, including address of residence and address of registration at the place of residence; professional phone contact; home and mobile phone numbers, and other contact information, including personal professional e-mail addresses;
  • Payment and financial-related information, including HCPs personal bank account or HCPs company bank account; HCPs taxpayer identification number, VAT number or similar; other tax information; benefit and compensation information;
  • Information about HCPs training and qualifications, including hiring and termination dates in regard to current and former employers; office addresses and phone numbers; office e-mail addresses; education details; occupied position (including title and description); professional skills and achievements; work experience (Curriculum Vitae, recommendations, questionnaires, etc.); and information about professional assessments and training;
  • Photographic images and video recording of the concerned HCP; and
  • Other information about the concerned HCP required to manage the professional relationship with Ultragenyx and administer the program of compliance with internal policies of Ultragenyx.

The legal basis for this processing is our legitimate interests in managing and improving our customer and business relationships and services.

c) Business relationship management – Profiling

Ultragenyx collects and uses HCPs Personal Data in order to administer the relationship with HCPs (such as to arrange face-to-face or virtual visits/meetings) and to build a profile about HCPs, in order to understand their areas of expertise and topics of interest better. Ultragenyx also collects and uses HCPs Personal Data to determine if it should enter into, or renew, a business relationship with an HCP (for example, to perform studies, surveys or market research, present or speak to internal or external audiences, to participate in advisory boards or attend any other meetings or events, including congresses, and to assess their interest in providing medical/scientific consulting).

The Personal Data that we may collect in this regard includes:

  • Information that directly identifies HCPs, such as family name, first name, patronymic; date of birth; gender; place of birth; nationality; passport details (including series, number, date of issue, photo and sample of signature) if necessary;
  • Contact details, including address of residence and address of registration at the place of residence; professional phone contact; home and mobile phone numbers, and other contact information, including personal professional e-mail addresses;
  • Information about HCPs training and qualifications, including hiring and termination dates in regard to current and former employers; office addresses and phone numbers; office e-mail addresses; education details; occupied position (including title and description); professional skills and achievements; work experience (Curriculum Vitae, recommendations, questionnaires, etc.); and information about professional assessments and trainings;
  • HCPs Photographic images and video recording;
  • Hotel rewards code or frequent flyer number; and
  • Emergency contact details (such as name and phone number).

We require this information to:

  • evaluate an HCP’s professional history for our due diligence purposes as a responsible company (including, but not limited to, compliance with anti-bribery and corruption laws);
  • determine an HCP’s level of remuneration based on their professional qualifications;
  • organize any travel and accommodation on an HCP’s behalf;
  • enter into, or renew, a contractual arrangement of any sort with the HCPs; and
  • produce relevant communications and provide the HCPs with a better experience.

Ultragenyx collects most of this information directly from HCPs when they provide us with their Curriculum Vitae. We also collect information about HCPs from publicly available sources and/or additional external sources that legitimately hold Personal Data about the HCPs and can share it with third parties, allowing it to be combined with the data provided to Ultragenyx . This information is only processed where relevant and necessary to evaluate HCPs background properly and to meet our commitment to deal only with valid and ethical business partners. It is in Ultragenyx’s legitimate interest to process the Personal Data HCPs provide to determine levels of remuneration and to be a compliant company and, in some cases, it is a legal obligation on Ultragenyx to process this Personal Data to comply with its legal obligations regarding combatting bribery and corruption. Ultragenyx also requires this information to enter into a contract with HCPs and/ or maintain and enhance Ultragenyx’s business relationship with them.

d) Contacting the HCPs to take part in marketing research projects

Ultragenyx collects and uses Personal Data about HCPs when they are invited to, and participate in, market research studies or surveys. The Personal Data that we collect about an HCP will depend on the market research study or survey that is being conducted, however, this typically includes:

  • Information that directly identifies the HCPs, such as family name, first name, patronymic; date of birth; gender; place of birth; nationality; passport details (including series, number, date of issue, photo and sample of signature) if necessary;
  • Opinions and responses to studies, surveys or questionnaire forms;
  • Contact details, including address of residence and address of registration at the place of residence; professional phone contact; home and mobile phone numbers, and other contact information, including personal professional e-mail addresses; and
  • Information about HCPs training and qualifications, including hiring and termination dates in regard to current and former employers; office addresses and phone numbers; office e-mail addresses; education details; occupied position (including title and description); professional skills and achievements; work experience (Curriculum Vitae, recommendations, questionnaires, etc.); information about professional assessments and trainings; and interest in Ultragenyx products and treatment habits.

We require this information to:

  • gather data about Ultragenyx (such as feedback on a product or service);
  • better understand a disease area; and
  • improve our understanding of the pharmaceutical industry.

Ultragenyx collects some of this information about HCPs from publicly available sources like external lists or databases in order to select respondents to participate in market research. HCPs’ opinions or responses to studies, surveys or questionnaire forms are collected directly from the concerned HCPs when they participate in the market research study or survey. It is in Ultragenyx’s legitimate interest to process the Personal Data in order to gather data about our company.

e) Legally required communications

In certain cases, Ultragenyx is legally required to send a specific communication to HCPs, for example as a condition of a license for a product or because of identified safety issues. In this case, we may also engage external HCP database providers to provide us with accurate HCP contact details or send the communications on Ultragenyx’s behalf. In such cases, Ultragenyx processes HCP Personal Data and sends such communications on the basis that processing is necessary for compliance with a legal obligation on Ultragenyx.

f) Complying with all laws and regulations

Ultragenyx is committed to adhering to the legal and regulatory requirements applicable to its operations and activities. This encompasses various local, national, and international laws, regulations, directives, guidelines, and industry standards relevant to Ultragenyx’s business activities in the pharmaceutical field. The Personal Data we may collect and use in this regard includes:

  • Information that directly identifies the HCP, such as family name, first name, patronymic; date of birth; gender; place of birth; nationality; passport details (including series, number, date of issue, photo and sample of signature) if necessary; address of residence and address of registration at the place of residence; professional phone contact; home and mobile phone numbers, and other contact information, including personal professional e-mail addresses;
  • Payment and financial-related information, including HCPs personal bank account or HCPs company bank account; HCPs taxpayer identification number, VAT number or similar; other tax information; benefit and compensation information;
  • Information about HCPs training and qualifications, including hiring and termination dates in regard to current and former employers; office addresses and phone numbers; office e-mail addresses; education details; occupied position (including title and description); professional skills and achievements; work experience (Curriculum Vitae, recommendations, questionnaires, etc.); and information about professional assessments and trainings;
  • HCPs’ photographic images and video recording ; and
  • Other information about the HCPs required to manage the professional relationship with Ultragenyx and administer the program of compliance with internal policies of Ultragenyx.

We require this information to ensure that Ultragenyx:

  • operates within the boundaries established by applicable laws and regulations governing pharmaceutical companies,
  • adheres to regulatory requirements set forth by governmental agencies and authorities responsible for overseeing pharmaceutical products and activities,
  • upholds ethical standards and principles in all aspects of Ultragenyx’s operations, including research, clinical trials, marketing practices, interactions with healthcare professionals, and patient care,
  • complies with data protection laws and regulations to safeguard the privacy and confidentiality of personal data processed by Ultragenyx,
  • meets quality and safety standards established by regulatory authorities and industry organizations and
  • fulfills transparency and disclosure requirements.

In this regard, the legal basis for this processing is compliance with legal obligations.

In cases where Ultragenyx asks for HCPs’ consent to collect and Process HCPs Personal Data and HCPs choose to provide their consent, they may at any time withdraw their consent by contacting us as described in the “Data Protection Officer Contact Information” section. Please note that the withdrawal of consent will not affect Processing which has already occurred.

In other instances, where the Processing of HCPs Personal Data is necessary in order to comply with an applicable law or regulation or for the performance of a contract to which HCPs are subject to, they may not be able to opt-out of this Processing, or their choice to opt-out may affect our ability to perform the contract agreed upon between them and Ultragenyx.

In still other instances, where Ultragenyx is Processing HCPs Personal Data based on Ultragenyx’s legitimate interests in performing our business activity, HCPs have the right to opt-out of all such Processing of their Personal Data. They may do so by contacting Ultragenyx as described in the “Data Protection Officer Contact Information” section.

 

Disclosures

For the purposes described above, HCPs Personal Data may be provided to third parties, including Ultragenyx affiliates globally (a list of which is available at https://www.ultragenyx.com/) and agents, consulting companies, suppliers of goods and services such as suppliers of IT systems and companies providing administrative services for taxes, aggregate spending and other legal requirements, as well as companies organizing transportation and accommodation of participants for various events (including, but not limited to, travel companies and agencies, airlines, railway organizations and hotels).

In addition to the purposes described above, Ultragenyx may disclose Personal Data about the HCPs, including HCPs financial relationship with Ultragenyx and any amounts the HCPs has been paid by Ultragenyx, to government authorities, agencies or industry associations in connection with our activities, in response to authorized information requests, or as otherwise required by laws, regulations, or industry codes.

In the event Ultragenyx decides to reorganize or divest our business through sale, merger or acquisition, we may share personal information about the HCPs with actual or prospective purchasers. We will require any actual or prospective purchasers to treat this personal information in a manner consistent with this Notice.

 

Transfer

Due to the global nature of Ultragenyx’s operations, HCPs Personal Data may be transferred and stored in countries other than where the HCPs are based, including the United States as well as other countries located outside of the European Economic Area, Switzerland, Turkey and/or the United Kingdom. Some of these countries may have data protection laws that are not as stringent, but Ultragenyx has put in place appropriate safeguards to protect and maintain the confidentiality of HCPs Personal Data. When HCPs Personal Data is transferred outside of the European Economic Area, Switzerland, Turkey and/or the United Kingdom to Ultragenyx’s affiliates/liaison offices, partners, or vendors, Ultragenyx enters into standard data protection contractual terms (“Model Clauses”) that have been approved by the European Commission with these entities to ensure that these entities safeguard HCPs Personal Data and only Process HCPs Personal Data as provided in this Notice. Ultragenyx can provide the HCPs with a copy of these Model Clauses upon the HCPs written request to Ultragenyx’s Data Protection Officer (contact information below).

HCPs Rights

According to data protection laws, the HCPs are entitled to:

i. raise any questions, complaints, or concerns about how Ultragenyx processes HCPs Personal Data
ii. request access, copies, correction (if the HCPs believe the data is incomplete or inaccurate), restriction of the Processing of HCPs Personal Data, or deletion of HCPs Personal Data
iii. request the transfer of HCPs Personal Data, or that Ultragenyx cease using it,

by contacting our Data Protection Officer (contact information below). Please note, however, that certain Personal Data may be exempt from such requests pursuant to applicable laws and regulations.

If HCPs entered into a consulting agreement or similar arrangement with Ultragenyx, HCPs Personal Data is being provided to Ultragenyx as part of that contract. If the HCPs fail to, are unwilling to provide or withdraw consent to the Processing of HCPs Personal Data for the purposes described in this Notice, the HCPs will not be able to provide or continue providing the services described in that arrangement. If the HCPs withdraw consent, it will not affect the lawfulness of Processing based on consent before the withdrawal.

Retention

HCPs Personal Data may be retained by Ultragenyx for so long as is reasonably necessary to ensure Ultragenyx’s compliance with any contractual, legal or regulatory requirements. The criteria used to determine our retention periods include (i) as long as we have an ongoing relationship with the HCPs; (ii) as required to fulfil a contractual obligation to which we are subject; and (iii) as otherwise necessary for legal purposes that we are obliged to comply with (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

Data Protection

Ultragenyx will take appropriate measures to protect HCPs Personal Data that are consistent with applicable privacy and data security laws and regulations, including requiring service providers to use appropriate measures to protect the confidentiality and security of Personal Data.

Ultragenyx may mandate third parties to perform activities or functions on our behalf that involve the use of Personal Data about the HCPs. In such cases, we will require these third parties to protect the confidentiality and security of the Personal Data that is shared with them. These third parties will be required to agree that they will abide to European data privacy laws and regulations, not use or disclose Personal Data about the HCPs except as necessary to provide services to us or perform services on our behalf, or as necessary to comply with applicable laws or regulations.

Data Protection Officer Contact Information

If at any time the HCPs have any questions, complaints, or concerns about how Ultragenyx Processes HCPs Personal Data; if the HCPs would like to request access, copies, correction (if the HCPs believe the data is incomplete or inaccurate), restriction, or deletion of HCPs Personal Data; if the HCPs would like to request the transfer of HCPs Personal Data, or that we cease using it, please contact our Data Protection Officer email: [email protected].

In addition to the Data Protection Officer, the HCPs may contact:

  • Ultragenyx Europe GmbH, with registered office at Lichtstrasse 35, 4056 Basel, Switzerland, telephone No. +41 61 204 4572.

The updated list of all data processors can be asked to Ultragenyx and can be released upon written request.

European Data Protection Authorities can be found here Our Members | European Data Protection Board

UK residents may submit a complaint to the UK Information Commissioner’s Office (ICO) here Make a complaint | ICO

Residents of Switzerland may contact for more information the Federal Data Protection and Information Commissioner (FDPIC) via the contact details available here Welcome to the FDPIC to report any violation of their privacy and data protection rights. However, the Swiss data protection legislator has given priority to individual action through civil law procedures and not through the intervention of the competent data protection authority. If the HCPs believe that the HCPs rights have been compromised, the HCPs may therefore bring a civil action in accordance with the applicable Swiss data protection legislation.

Turkey residents may submit a complaint to the Turkey Personal Data Protection Authority (KVKK) here (KİŞİSEL VERİLERİ KORUMA KURUMU | KVKK | Complaint to the Board).