Human Data Research Privacy Statement
Updated: September 15th, 2021, version 2.0
This Human Data Research Privacy Statement explains to you how we process your personal data. We have received your personal data from the original data owner who has collected it from you when you have participated in clinical research studies or you have given your sample to biobank research with your consent to share data with external researchers for scientific purposes.
We call scientific research conducted with such personal data Human Data Research.
Orion currently holds personal data for Human Data Research from
- UK Biobank, https://www.ukbiobank.ac.uk/
- Target ALS, http://www.targetals.org/
- Parkinson’s Progression Marker Initiative (PPMI), https://www.ppmi-info.org/
We respect your privacy and we are committed to protecting your personal data. This privacy statement describes to you the purpose for processing your data and tells you about your privacy rights.
Purpose of the Processing
The purpose of performing Human Data Research is to enable Orion Corporation to facilitate drug discovery and development through target identification and/or validation and personalised medicine therapy development.
This means that the data is being used to understand the links between biological mechanisms and disease, such as a genetic variant causing a specific illness or increasing the susceptibility to disease. Human Data Research studies help us to identify and select new drug targets for a particular disease or to identify a sub-group of patients in whom the effect of the drug is enhanced.
Personal Data We Collect
In Human Data Research, Orion Corporation only collects information related to the study subject that the study subject has consented to in their agreements with the original data collector. The data is always in pseudonymised form and it usually includes subject number, the subject’s sex, year of birth or age, and relevant medical history. In addition, the data provided may also contain data obtained from biological samples (DNA, RNA, metabolites), extensive medical history, information on behaviours and habits, ethnicity, and broad location.
Pseudonymisation is a safeguard measure that helps to protect your personal data. It means that personal data is processed in such a way that it can no longer be attributed to you without the use of additional information. Identification is possible only when the subject´s number is combined with the code key by the original data provider or the responsible investigator. Orion receive the personal data from the original data owner only in pseudonymised format. Therefore, we have no means to identify you from the data we receive.
Your pseudonymized data is copied from the source database(s) to Orion’s Data Science Workspace. We use information technology (IT) companies who assist us by performing data processing and technical operations such as data storage and hosting. All electronic data files will be stored in a system with restricted password protected access, available only for the designated authorized persons who need the information based on their role.
We will not disclose your data to any other third party. The sourced data is for internal use only. If, under certain conditions, the work on such data involves additional third-party collaborators, then the third-party needs to obtain the right to access the data from the data owner independently of Orion.
Retention of Personal Data
The personal data shall be retained by Orion Corporation in strict accordance with the data use limits set by the original data provider. If no such limit is set, then we will annually evaluate the continued use of the data set. Once the data use limit has been reached, or if it has been internally decided, then the whole data set, and any copies, will be deleted from Orion’s servers.
Legal Basis of Processing
The legal basis for the processing of your personal data in relation to Human Data Research is the legitimate interests of Orion Corporation as the data controller. “Legitimate interests” mean the interests of Orion Corporation to conduct scientific research in accordance with the European Union General Data Protection Regulation ("GDPR") Article 89(1). We need to process the personal data obtained from external human data cohorts for the purposes of drug discovery and development, such as target identification and/or validation and personalised medicine therapy development. When processing your personal information on the basis of our legitimate interests we comply with laws regulating the processing of personal data and we strive to ensure that any possible effect that processing might have on you is not unreasonable. Orion Corporation’s legitimate interests do not automatically override your rights and interests; we will not use your personal data for activities where our interests are overridden by the impact on you. Also, you have the right to object to the processing of personal data to scientific research purposes by Orion Corporation.
The processing of special categories of personal data is based on necessity to process such data for scientific research purposes in accordance with the GDPR Article 89(1) and the Finnish Data Protection Act.
Transfers of Personal Data
Data processing by Orion Corporation is performed in the European Economic Area (“EEA”) The personal data collected may be transferred to information technology (IT) companies who assist us by performing data processing and technical operations such as data storage and hosting, both inside and outside the European Economic Area (EEA). This means that your personal data may be processed or stored in a country that has less stringent data protection standards than those of the EEA. The personal data transferred outside the EEA is protected by appropriate contractual arrangements. For more information, please contact Orion Corporation.
In case you wish to obtain more information regarding the processing of your personal data, your rights as a data subject, or you want to exercise such rights, you can make a request to this effect by contacting the original data provider listed in section “Sources or Personal Data”. Depending on the original data provider you may have the right to request access to your personal data, the right to rectify any data that is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing, the right to erasure of your data, the right to restrict data processing, the right to data portability, and the right to object to data processing. Since Orion Corporation as the controller has only information related to your coded number, it is impossible for Orion Corporation to recognize or identify you or provide further information regarding the processing of your personal data. If, however, your questions relate to processing of personal data by Orion Corporation for Human Data Research in general, please contact Orion Corporation’s contact address below.
Contact information of the Human Data Research register: email@example.com
Contact information of the Data Protection Officer: firstname.lastname@example.org
If you have concerns regarding Orion’s processing of your personal data, you have the right to make a complaint to a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the General Data Protection Regulation.
We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.
Questions Regarding the Privacy Statement
If you have any questions about our Privacy Statement, or any concern about privacy at Orion Corporation, please contact us by e-mail at email@example.com .
To read more about Orion Corporation’s management of privacy please see the Orion Corporation Privacy Statement https://www.orion.fi/en/privacy/.
We may update or revise this Orion Corporation Human Data Research Privacy Statement at any time. When we change the Statement in a material way, a notice will be posted on our website along with the updated Privacy Statement.