This privacy notice explains how we process personal data in our business as per the General Data Protection Regulation (GDPR) and other relevant privacy laws applicable to our business.

Please note that this entire document is protected by copyright and you may not copy any text from it.

 

If you have any questions about this privacy notice, feel free to contact us at:

Company name: Lytix Biopharma AS
Business address: Sandakerveien 138, 0484 OSLO
Contact email address: post[at]lytixbiopharma.com

For general comments/questions linked to GDPR, please use our email address DPO[at]lytixbiopharma.com

 

***

 

We take your privacy seriously and we have taken several steps to ensure that we provide you with clear and transparent information on how we process your data, and also inform you about your rights. If you feel that any information is unclear, or missing, please do not hesitate to contact us.

 

Your data protection rights

  • Your rights of access and rectification: You may request access to or a copy of the information we process about you and ask us to rectify any incorrect data.
  • Your right to erasure or restriction: In some circumstances, you may ask us to delete and/or restrict our processing of your data, but we cannot delete any data we are required to process.
  • Your right to object to processing: In some circumstances, you may ask us to stop processing your data.
  • Your right to data portability: In some circumstances, you may ask us to transfer your data to you or to another organisation.
  • Also, if you’re unhappy about how we process your data, you have a right to complain to a national data authority (Datatilsynet). We hope, however, that you will contact us first so that we can try to resolve the matter for you in a satisfactory way.

Please contact us if you have any questions or want to exercise one of your rights. You are entitled to a reply within 30 days.

 

How we get your personal data

We typically process personal data about:

  • Customers
  • Potential customers
  • Vendors
  • Partners
  • Shareholders
  • Website visitors
  • Job applicants
  • Employees
  • Former employees

We process personal data when you:

  • buy our services
  • subscribe to our newsletter
  • sign up for our events
  • provide us with your contact details, e.g. give us your business card
  • contact us via phone, text, email, social media or our website
  • otherwise use our website

It is voluntary to provide us with personal data, but if you choose not to, we may not be able to provide you with our services. We do not rent, buy or sell personal data from or to others, use automated decisions or profiling in the processing of your personal data or process special category data.

 

Purpose, lawful basis and retention periods

We only process your personal data when we have a purpose and a lawful basis for doing so. Under the GDPR Article 6-1, the lawful bases we rely on, are:

a)    Your consent
b)    We have a contractual obligation (contract)
c)    We have a legal obligation
d)    We have a legitimate interest

As a rule, personal data should not be processed and kept for longer than necessary to fulfil the purpose for processing.

Your personal data is only retained for as long as we have a purpose and a lawful basis:

  • Until you withdraw your consent (e.g. for email and newsletters)
  • For as long as we have a contractual obligation, and, if applicable, in accordance with accounting and bookkeeping rules and regulations
  • For as long as we have a legal obligation; in accordance with accounting and bookkeeping rules and/or other legal requirements and regulations (e.g. for employment)
  • For as long as we have a legitimate interest or until you ask us not to process your data in such a way (e.g. newsletters)

You can always withdraw your consent for any data processing based on consent, and you can also reach out to us at any time if you’d like us to stop processing and/or ask us to delete any of your data.

We have routines in place to ensure that personal data is deleted from all relevant systems when we no longer have a purpose and/or legal basis to continue to process them.

 

Details on the processing of your personal data

In this section we describe in detail when and how we process your data, for what purposes and our legal grounds to do so (lawful bases). We also specify the retention periods for the processing.

We process personal data when:

 

You communicate with us

When you contact us through our website, e-mail, phone, social media and/or give us your business card, we process personal data. Depending on where and how you contact us, this may include your name, contact details, IP address and other information you choose to send to us.

The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where the legitimate interests are to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. We review this data at our annual (internal) GDPR audit and delete personal data as appropriate.

 

You apply for a job, or you work, at our company

When applying for a job with us, we process personal data such as your name, contact details, CVs, references, and other relevant information. The purpose is to be able to assess your application. The lawful basis is b) necessary for the performance of a contract, and possibly GDPR Article 9 (2) b) and h) if your application contains special categories of personal data.

For employees, we process personal data as mentioned above, in addition to other general employment data (for payroll, insurance, sick leaves etc.). The purpose is to be able to manage the employment relationship. The lawful basis for this is b) contract, and possibly Article 9 (2) (b) and (h) for special categories of personal data, as well as c) legal obligation related to labour laws.

As a rule, general employee information is deleted when the employment relationship ends. However, some information is kept for accounting purposes, and some extraordinary reasons, such as a dismissal or dismissal dispute, may make it necessary to keep employment data for a longer time period. Job applicants can ask us to retain their data for other applications in the future, otherwise the information is deleted when a candidate has been selected, at the latest at our next GDPR audit.

 

You subscribe to our news releases

We regularly send out emails with press releases/news from the company. When you become a subscriber, we process personal data such as your name and email address. The purpose is to share updates, articles and other news. The lawful basis is a) consent and you can easily unsubscribe at any time by replying "unsubscribe" to any such newsletter.

We process the data for as long as you subscribe, after which it will be deleted at our next GDPR audit .

 

You attend our events/shareholder meetings

When you attend our events or meetings, we process personal data such as your name, contact details and, sometimes, access requirements. The purpose is to be able to process your registration and attendance. The lawful basis is a) consent. If we collect any information about access requirements, we also need your consent under GDPR Article 9 (2) (a).

We may also use your data to send you an evaluation of the event you attended, or to invite you to other relevant events we think you might be interested in. The lawful basis is f), where our legitimate interest is to analyse and run our business effectively and to provide you with good customer service. If you do not wish to receive such messages, you just have to inform us through an email to post@lytixbiopharma.com.

 

You supply services to or collaborate with us

When you enter into an agreement with us either as a vendor, partner or data processor, we process personal data such as your name, contact details and correspondence. The purpose is to be able to enter into this agreement and to respond to your inquiries and the lawful basis is b) contract. We review this data at our annual GDPR audit and delete personal data as appropriate. We process other communication data as per the first paragraph in this chapter, please see above.

 

You use our website

When you use our website, we may process personal data such as IP address and other technical data collected via cookies and analytics tools. The purpose is to run our website effectively. The lawful basis for processing personal data through cookies that are strictly necessary is a) consent. Read more in our Cookie notice.

 

Whom we share your personal data with

To run our business efficiently and securely, we sometimes have to share your personal data with other parties such as:

  • Public authorities we are obliged to report to
  • Our accountant, auditor, lawyer and others helping us in a professional capacity
  • Data processors: providers of services that process your personal data on our behalf*
  • IT support, if necessary

We require that all such recipients secure data in accordance with good information security. We enter into a data processing agreement/addendum with anyone who processes data on our behalf, as per the requirements in the GDPR Article 28-3.

* We use data processors for:

  • Email, calendar and digital meetings
  • Accounting/bookkeeping and invoicing
  • Cloud storage and network
  • Our website
  • Signing documents electronically

To protect our business we don't publish further details (like names) of our data processors. If you'd like to know more about our processing and whom we share your personal data with, please contact us.

 

Transfer of personal data outside the EU/EEA

In some cases, your personal data will be transferred outside the EU/EEA, e.g. where we use data processors to manage cloud storage, email services and web hosting.

We only use data processors we trust, that are well known and those we have a data processing agreement/addendum with. We check whether a country outside the EU/EEA offers an adequate level of data protection (has obtained an EU “adequacy decision”) or, if this is not the case, that other necessary safeguards are in place like the EU Standard Contractual Clauses (“SCC”, also called Model Clauses) or Binding Corporate Rules. If you would like to know where your particular data is processed, which safeguards we have for this and what other measures we have taken to protect your data, please contact us.

 

Information security

We take information security seriously and we will always do our utmost to safeguard your personal data in the best possible way. For example, we use strong passwords, data encryption, access control and two-factor authentication to secure our data and prevent unauthorized persons from accessing, altering, deleting, or in any way affecting the data we store, including your personal data.

We only allow others to access and/or process your personal data in accordance with our instructions, and only when strictly necessary (e.g. when we require IT support).

We have implemented a policy for technical and organisational measures and a routine for managing data breaches. If we experience a personal data breach, i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected, we will notify the national data authority within 72 hours. If the risk is deemed high for the people affected, we will also notify them directly, if possible.

 

This document was last updated in May 2023