Privacy Notice for Clinical Trials in UK

Effective On:December 22, 2021
Last Modified On:December 22, 2021

1. Introduction

SymBio Pharmaceuticals Limited. ("SymBio", "we", "us", "our") takes the protection of your personal information ("Personal Data") very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice (this "Notice") describes how we use your Personal Data when we conduct clinical trials (a "Trial" or the "Trials").

SymBio as Sponsor of the Trial listed below, is the "data controller" for your Personal Data. This Notice is meant to help you understand what information we collect when you agree to be part of one of our Trials, why we collect it, and your rights. We are required to give you this information in order to comply with the privacy law, including Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) and the GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and any regulations thereunder, and the UK Data Protection Act 2018 (the "UK GDPR").

This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website ( This Notice also does not apply to Personal Data of our employees, job applicants and contractors.

2. Current Scope

SymBio Pharmaceuticals Limited has begun a study of an investigational drug (also known as the "study drug") called brincidofovir as a possible treatment for adenovirus (a common type of virus) infection. If you have consented to be a part of this Trial, or you are an investigator or other site personnel involved in this trial, we will use and protect your Personal Data as described below.

The current Trial is called "A Phase IIa, Open-label, Multiple Ascending Dose Confirmation Study of the Safety and Tolerability of Intravenous Brincidofovir in Subjects with Adenovirus Infection"

The Informed Consent Form ("ICF") you or your parent signed in order to be a participant in this Trial also contains information about your privacy rights. Each ICF may have slightly different terms to account for different rules in the jurisdictions in which we conduct Trials. If there is a conflict between a part of this Notice and what is in the ICF you signed, the terms in the ICF will control (meaning they are the terms that will apply to the processing of your data).

3. Controllership

Within the scope of this Notice, SymBio acts as a data controller for the Personal Data we collect, use and process ("process"). This means that we determine the purposes and the means of the processing of Personal Data.

However, we do not have direct access to Trial patients' identifiable Personal Data, meaning that we are typically unable to directly identify Trial patients pursuant to Good Clinical Practice Guidelines. Your Personal Data is collected by the clinical research organization (CRO) assisting us with the Trial, the Trial site (the doctor's office, clinic, hospital, or other healthcare facility where the Trial is being conducted), or other third parties, such as your primary care doctors. When any information relating to Trial patients is shared with us, it will be key-coded (also known as "pseudonymized") so that you will not be identified by any direct personal identifier.

4. Basis of Processing

Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on an appropriate lawful basis for processing your Personal Data. We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.

Trial participants:

  • We process your Personal Data for safety and reliability purposes in order to comply with our legal obligations.
  • We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.
  • If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.
  • SymBio will need to process data about your health in order for you to participate in a Trial. Health data is considered sensitive Personal Data (also known as a "special category" of Personal Data) and special rules apply to working with it. When we process special categories of your Personal Data, including health data or data about your race or ethnicity, we usually do so based on your explicit consent, which you gave in the Informed Consent Form you signed when you joined the trial. We may also process this information when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective, and conducting our Trials safely.

Trial personnel:

  • SymBio may process the Personal Data of Trial personnel based on our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial staff recruiting and contracting processes.
  • We also process Personal Data because it is necessary for the performance of the contracts between SymBio and Trial sites, including by enabling us to communicate with you and other principal investigators about the performance of the relevant Trial.
  • SymBio may process Personal Data of Trial personnel in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of a Trial.
  • Personal Data may also be processed based on your consent.

5. How We Receive Personal Data

In the context of this Notice, we collect your Personal Data only from the following sources:

  • you provide it to us when you participate in a Trial (including when you provide your Personal Data to one of our service providers acting on our behalf);
  • a study doctor (also known as an "investigator") or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
  • we receive it from the clinical research organization that conducts the Trial on our behalf; or
  • you provide it to us in your role as Trial personnel in the context of assisting in the operation of a Trial.

6. Categories of Personal Data

SymBio or its service providers, including the CRO, may have access to and process the following types of Personal Data about Trial participants (in pseudonymized or key coded-form, meaning it will not be associated with your or your child's name):

  • health care information, such as the identity and contact information of your or your child's doctors and health care providers;
  • health information, such as your or your child's medical background and current medications, history, results of physical examinations and laboratory tests conducted in this Trial, and reaction to the Trial drug;
  • other demographic and sensitive information, including age (month and year), sex, race, and ethnicity; and
  • location information, such as the location of your testing site and Trial location.

Your or your child's name may be viewed by one of our service providers, like the CRO, when they are acting to ensure or verify the accuracy of records involved in the trial, but that information will never be copied into any system that we have access to and will not be made available to us.

SymBio may collect and process the following types of Personal Data about Trial personnel:

  • personal details of Trial personnel, such as your name, age, gender and contact details;
  • professional details of Trial personnel, such as your place of practice, job title, the medical field in which you are active, professional qualifications and scientific activities; and
  • professional financial details of Trial personnel, such as payment-related information.

7. Purpose of Processing

We will process Trial patients Personal Data for the purposes of:

  • determining your eligibility for a Trial;
  • conducting the Trials;
  • ensuring that each Trial drug is safe and reliable; and
  • conducting related scientific and medical research.

We also process your Personal Data for the specific purposes described in the ICF provided to you by Trial personnel.

We will process Trial personnel Personal Data for the purposes of:

  • managing our relationship with Trial personnel;
  • contacting Trial personnel for planning and organizing the Trials;
  • conducting the Trials; and
  • complying with applicable laws and regulations.

8. Data Retention

SymBio will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law.

Our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is "key-coded" before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.

To the maximum extent permitted by law, once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. For example, European law requires us to keep Personal Data that is part of the clinical trial master file for at least twenty-five years after the conclusion of the applicable Trial. Other laws may require different retention periods.

9. Sharing Personal Data with Third Parties

We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by applicable law.

We may share your Personal Data with the contracted research organization for Trial operations, with the laboratories involved in analysing the medical data involved in the Trial, with service providers involved in evaluating drug safety and efficacy, and with cloud-based software providers, providers of medical software, hosting, data analytics, and other service providers who host the platforms used to facilitate the Trial.

We require that all of these service providers protect your Personal Data, including through the adoption of adequate security measures, and use the data solely to provide the services to us.

We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right, meaning they also may determine the purpose or means of collecting or using your data for their own purposes. They will have their own privacy notices to govern their collection, use, and protection of your data. These third parties include clinical sites like hospitals and medical offices, and public government agencies.

We may share your Personal Data with certain regulatory agencies who oversee the conduct of clinical trials, including the United States Food and Drug Administration ("FDA"), the European Medicines Agency ("EMA") and the Medicines and Healthcare products Regulatory Agency ("MHRA"), and the Japanese Pharmaceuticals and Medical Devices Agency ("PMDA") as required to comply with certain reporting and regulatory obligations or in the context of future research. If we have to disclose your Personal Data to a government or law enforcement authority, we may not be able to ensure that those officials will protect your Personal Data to the same standard as we require in our contracts with our service providers.

10. Data Transfers

Some of these service providers and other third parties are located outside of the UK and European Union, for example, in the United States and Japan. Therefore, your Personal Data may be processed outside your jurisdiction and in countries not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction.

We ensure that the recipient of your Personal Data offers an adequate level of protection, for instance, by entering into appropriate data protection agreements and where required, the European Commission-approved standard contractual data protection clauses.

11. Other Disclosure of your Personal Data

We may disclose your Personal Data:

  • to the extent necessary, to regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
  • if, in the future, we sell or transfer, or we consider selling or transferring, part or all of our company, business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events; or
  • in the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events; and/or
  • if necessary, to our group companies for business purposes, as described above.
  • If you want to receive the list of the current recipients of your Personal Data, please make your request by contacting our Data Protection Officer at the contact details provided below.

12. Data Integrity & Security

We have put in place, and have required our service providers to put in place, technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know and are subject to confidentiality obligations.

13. Your Privacy Rights

You have specific rights regarding your Personal Data that we collect and process.

For Trial Participants: to exercise the rights we explain below, please first speak with your study doctor instead of contacting us directly.

If we process your or your child's Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. You may also have the right to ask that we limit our processing of your Personal Data, as well as the right to object to our processing of your Personal Data. You may also have the right to data portability, which means that you may have the right to ask us to provide you with a copy of your Personal Data that another company like SymBio can process.

To submit these requests or raise any other questions, please contact us by using the information in the "Contact Us" section below. You may also have the right to lodge a complaint with a data protection regulator in your applicable jurisdiction

14. Data About Children

We obtain parental or legal guardian consent before processing Personal Data about children.

15. Changes To This Notice

If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the "Last Modified" date.

16. Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please first speak with your study doctor. You may also contact our Data Protection Officer (DPO) at or at the contact information provided below. Upon receipt of your request, please allow up to one month for us to reply.

17. Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe's contact details are:

100 M Street S.E., Suite 600
Washington, D.C. 20003
Tell: +1-617-398-7067

18. United Kingdom Representative

We have also appointed VeraSafe as our representative in the United Kingdom ("UK"). While you may also contact us, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: or via telephone at :+44 (20) 45322003.

VeraSafe can also be contacted by mail at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom