1) General information
Your privacy is important to us. This Privacy Statement informs you about how Impatients N.V. (referred to in this Privacy Statement as “myTomorrows”, “we”, “our” or “us”) processes your personal data and about your privacy rights. This Privacy Statement relates to the processing of personal data about individuals (referred to in this Privacy Statement as “you” and/or “your”) who visit our website, apply for a position at myTomorrows, use our search engine, enrol in or be referred to an Early/Expanded Access Program (“EAP”) or are referred to a clinical trial (“CT”). Do you have questions about this Privacy Statement or the protection of your privacy? Please contact us via the contact information provided at the end of this Privacy Statement.
Download a PDF version of this Privacy Statement here.
2) Who is responsible for processing your personal data?
myTomorrows is a “controller” within the meaning of the General Data Protection Regulation (“GDPR”). This means that we are responsible for processing your personal data in accordance with the applicable data protection laws, including the GDPR.
In limited cases, we may also process personal data on behalf of a client. This is for instance the case when we provide support to you and/or your treating physician in accessing a pre-approval treatment you selected, and we perform pre-screening or other verifications regarding your health on behalf of the biopharma company to assess your eligibility for the treatment. In that case the biopharma company (our customer) is responsible for the processing of your personal data, not us. When relevant, we shall forward any privacy request to the biopharma company involved to handle your request and refer you to their Privacy Statement for further information.
3) Which personal data do we process and for what purpose(s)?
We process your personal data. By processing, we mean that myTomorrows may for instance collect, store, use and transfer your personal data, depending on the specific circumstances and context. You can read more about which personal data we process below.
1) Website-visitors
myTomorrows processes personal data for providing, maintaining, and improving our website. This may also include responding to your queries when you contact us via the website. For specific information on the cookies and similar technologies used in this respect, please refer to our Cookie Policy.
- The individuals involved. Website-visitors: individuals who visit our website.
- The purpose(s) of processing. When a website-visitor visits our website and / or contacts us via a chat functionality on our website or contacts us in another way, we will process your information for the following purposes:
- For maintenance, administration and network and security purposes;
- For internal control and business operations;
- For analyzing and improving our products;
- For handling any requests, complaints and disputes;
- For determining, exercising and defending our rights; and
- For complying with legal obligations (incl. fraud prevention) and requests of authorized governmental institutions
- The personal data that is processed. When a website-visitor visits our website or contacts us, we may process the following information:
- IP-address;
- Browser type;
- Browser (language) settings;
- Other technical information we may collect via cookies, such as regarding the interaction between the website-visitor’s device and our website. For instance, the web pages that were visited, new or returning visitors, frequency of visitation, time spent on the website and what pages have been read; and
- Information provided to us when you reach out to us via the contact form on our website, including: your full name, email, country of residence, and your message to us.
Special categories of personal data and sensitive information:
In principle we do not process special categories of personal data in the context of our website.
- Legal grounds for processing. We may only process your personal data if we have (a) legal ground(s) to do so. If you are a website-visitor, we will process your personal data based on our legitimate interest in offering and securing our website and pursuing the other processing purposes as listed above or based on your consent for collecting certain categories of personal data with the usage of cookies and other technologies. For more information about the types of cookies we use on our website, please be referred to our Cookie Statement.
2) Job Applicants
myTomorrows processes personal data about job applicants in order to consider the application in the context of hiring new employees.
- Individual involved. job applicant: individual who applies for a position at myTomorrows.
- The purpose(s) of processing. Assessment of the applicant’s suitability for a position that is or may become vacant at myTomorrows (recruitment).
- The personal data that is processed. When you apply for a position at myTomorrows, we may process the following information:
- Full name;
- Email;
- Telephone number;
- Address;
- Photograph;
- Gender;
- Education;
- Experience; and
- Other job-related information.
Special categories of personal data and sensitive information:
In principle we do not process special categories of personal data from job applicants in the context of recruitment.
- Legal grounds for processing. We may only process your personal data if we have (a) legal ground(s) to do so. If you are a job applicant, we will process your personal data based on our legitimate interest in selecting the best candidates for myTomorrows and in order to take steps at the request of the job applicant prior to entering into a contract or when processing is necessary in order to comply with legal obligations. We may also process your personal data based on consent, for instance in order to retain your application file for one year, in case we couldn’t provide you a job.
3) Patient-users
myTomorrows processes personal data about patient-users to provide information on possible treatment options. We do this, for instance, when you fill out search criteria by using the search engine, when you decide to upload personal data on the platform, or when you request a Treatment Search Report.
- The individuals involved. Patient-users: individuals who use our search engine (myTreatment Search) and/or myTomorrows’ platform.
- The purpose(s) of processing. We will process your personal data for the following purposes:
- To provide access to our platform and support from our Patient Navigators;
- To provide and optimize information on possible treatment options from Clinical Trial Databases worldwide;
- To match patient-users to treatment options, such as Clinical Trials (CTs) and Early-Access-Programs (EAPs) via our search engine and/or the patient portal;
- Assess eligibility for treatment options (CTs and EAPs);
- Provide a customized Treatment Search Report based on your search criteria, listing all possible treatment options;
- Refer patient-users to CTs;
- Analyse the search data form in the search engine to improve our algorithms;
- Provide insights from aggregated data on the use of our platform and the search engine to our clients.
- The personal data that is processed:
a) Search Engine.
We may process the following information to provide and optimize search results via our treatment search engine:
- Gender;
- Disease condition;
- Country of residence.
b) myTomorrows for Patients.
We may process the following information to provide access to our platform and support from our Patient Navigators:
- Username;
- Password;
- Full name;
- Contact details;
- Date of birth;
- Gender;
- City/country of residence;
If required for your request to us, we may also process the following information:
- Weight;
- Height;
- Ethnic origin;
- Treating physician;
- Health data;
- Treatment data; and
- Other relevant medical information (if necessary).
c) Search Report.
We may process the following information to provide a search reports to match patient-users to possible treatment options and assess eligibility for treatment options:
- Date of birth;
- Gender;
- City/country of residence;
If, and where applicable for your request, we may also process the following information:
- Weight;
- Height;
- Ethnic origin;
- Treating physician;
- Health data;
- Treatment data; and
- Other relevant medical data (if necessary).
Special categories of personal data and sensitive information:
myTomorrows processes health data to provide our products and services. Health data is only processed based on an exception to the processing prohibition as set out in article 9 of the GDPR.
- Legal grounds for processing. We may only process your personal data if we have (a) legal ground(s) to do so. If you are a patient-user, we will process your personal data based on your consent. In addition, we may also process personal data required to fulfil a contract with you in relation to non-sensitive data, for instance to provide you with access to our platform and to request personalized information.
4) Patient-participants
myTomorrows processes personal data to assess eligibility for treatment options (e.g. CTs and EAPs) and to provide support to patients in accessing treatment options.
- The individuals involved. Patient-participants: individuals who decide to pursue one of the treatments in the personalized Treatment Search Report and enroll in a program to gain access.
- The purpose(s) of processing. We will process your personal data for the following purposes:
- To run EAPs and to provide patients with access to treatment options;
- To obtain approval from regulatory authorities to provide access to treatment options;
- To collect safety information and report adverse events with regard to EAPs;
- To assess the safety and effectiveness of EAP treatment and collect research data for EAP studies.
- The personal data that is processed:
a) Expanded/Early Access Programs.
We may process the following information to run EAPs and provide patients with access to treatment options.
- Full name;
- Initials;
- Contact details;
- Date of birth;
- Gender;
- City/country of residence;
If applicable, we may also process the following information:
- Weight;
- Ethnic origin
- Treating physician;
- Health data;
- Treatment data;
- Genetic data; and
- Other medical information (if necessary).
b) Regulatory approval.
We may process the following information to obtain approval from regulatory authorities to provide access and traceability for treatment options.
- Weight;
- Ethnic origin
- Treating physician;
- Health data;
- Treatment data;
- Genetic data; and
- Other medical information (if necessary).
c) Safety reporting.
We may process the following information to collect safety information and report adverse events about EAP treatments.
- Initials;
- E-mail;
- Data of birth
- Gender;
- City/country of residence;
- Adverse event;
- Outcome of the event;
- Effect of treatment;
- Laboratory data;
- Other medication
- EAP number;
- Prescribed treatment;
- Quantity of treatment;
- Pharmacy location.
If applicable, we may also process the following information:
- Weight;
- Ethnic origin
- Treating physician;
- Health data;
- Treatment data;
- Genetic data; and
- Other medical information (if necessary).
d) Real-World Data (RWD).
We may process the following information to assess the safety and effectiveness of EAP treatment and collect research data for EAP studies.
- Full name;
- Initials;
- Contact details;
- Date of birth;
- Gender;
- City/country of residence;
If applicable, we may also process the following information:
- Weight;
- Ethnic origin
- Treating physician;
- Health data;
- Treatment data;
- Genetic data; and
- Other medical information (if necessary).
Special categories of personal data and sensitive information:
myTomorrows processes health data to provide our products and services. Health data is only processed based on an exception to the processing prohibition as set out in article 9 of the GDPR.
- Legal grounds for processing. We may only process your personal data if we have (a) legal ground(s) to do so. If you are a patient-participant, we will process your personal data based on your consent. In addition, we may also process personal data required to fulfil a contract with you in relation to non-sensitive data, for instance to provide you with access to our platform to upload the requested (medical) file(s).
5) Healthcare professionals.
myTomorrows processes personal data about healthcare professionals. For instance, to provide access to our search engine and our platform, respond to questions when you contact us directly or to reach out to you for general inquiries.
- Individuals involved. Physicians: treating and non-treating physicians.
- The purpose(s) of processing.
- Healthcare professional administration for patients that are enrolled in an EAP;
- Management of EAP treatment.
- Ensuring quality of customers;
- Delivery of products and services to customer.
- The personal data that is processed.
- Full name;
- Email;
- Telephone number;
- Function;
- (Medical) specialization; and
- Registration number.
Special categories of personal data and sensitive information:
In principle we do not process special categories of personal data about health care professionals in the context of our products and services.
- Legal grounds for processing. We may only process your personal data if we have (a) legal ground(s) to do so. If you are a physician, we will process your personal data based on consent, for the performance of a contract or to take steps at your request prior to entering into a contract. We may also process your personal data based on legal obligations, for instance to comply with tax obligations.
6) Legitimate interests
In addition to the specific interests per purpose as specified above, we may process your personal data based on our legitimate interest for the following purposes:
- For determining, exercising and defending our rights;
- For complying with legal obligations (incl. fraud prevention) and requests of authorized governmental institutions; and
- In the context of mergers and acquisitions, including due diligence projects.
4) How do we obtain your personal data?
We obtain your personal data in various ways:
- Provided by you. Some data we receive directly from you, for example information you provided during your application for a position at myTomorrows, questionnaires you completed to receive information on possible treatment options, files you uploaded to access a treatment or from correspondence with you, such as with our medical liaisons or through the chat functionality on our website.
- Obtained from third parties. We could also obtain personal data about you from other people or external parties. Examples include your colleagues (if you’re a job applicant) or your treating physician (if you’re a patient-participant) or other parties who are involved with our mutual relationship, such as other healthcare professionals or pharma companies that use our platform. We may also obtain information from public registers of company directors and participating interests.
- Automatically obtained. Some personal data we obtain automatically, for example by using cookies and similar techniques. For more information about cookies and similar techniques, go to our Cookie Statement.
- Derived. Certain personal data we do not receive directly, but can be derived from the information we already have about you.
If you do not provide personal information:
In principle you are under no obligation to provide any information about yourself to us. However, refusal to supply certain information could have a negative influence on, for example, our service provision to you or the functionality of the services that you use from us.
If the provision of certain personal data is a legal obligation or an essential contractual requirement for concluding an agreement with us, we will separately provide additional information about this for as far as this is not clear in advance. In this case we will also inform you about the possible consequences if this information is not provided to us.
5) Who do we share your data with?
We only share your personal data with third parties, if:
- This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision and will not be allowed to process the data for their own purposes.
- The persons within the third party that have access to the personal data are under an obligation to treat this data confidentially. Where necessary this is also contractually agreed on.
- The third party is obliged to comply with the applicable data protection laws. We have concluded an agreement with this party that stipulates that the party is obliged to implement and maintain appropriate technical and organizational measures to ensure protection of personal data and the rights of Individuals, and that any transfer of personal data to countries outside the EEA is only legitimized on the basis of an adequacy decision or other appropriate measures.
We may share your personal data on a need-to-know basis with the parties mentioned below. In this context, “need-to-know” means that a party is only granted access to personal data if and insofar as this is required for the services provided by this party.
- Authorized persons, employed or engaged by myTomorrows, who are involved with the processing activity concerned, such as the members of our team you are in contact with, for instance HR for recruitment or medical liaisons for information on treatment options.
- Authorized persons, employed or engaged by affiliated companies and/or parties in the private sector with whom we work and may share certain personal data, such as accountants, payroll agencies and healthcare professionals.
- Authorized persons, employed or engaged by service providers / sub-contractors engaged by myTomorrows, who are involved with the processing activity concerned, such as cloud hosting providers.
- Authorized government institutions. Such as, courts, police, and other law enforcement agencies. We may release information about Individuals when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with myTomorrows’ policies and the applicable laws. We may also disclose information in this regard whenever we believe disclosure is necessary to protect the rights, property or safety of myTomorrows, or any of our respective business relations.
- Aggregate Information. We may also disclose non-identifying, aggregated statistical information to third parties and / or myTomorrows’ affiliates for a variety of purposes, including work-flow management.
6) How do we secure your personal data?
Protecting the Individuals’ privacy and personal data is very important to us. Therefore, myTomorrows has implemented appropriate technical and organizational measures to protect and secure your personal data against violations of the confidentiality, integrity, and availability of data.
We have internal policies and procedures in place that describe how we safeguard an appropriate level of technical and organizational security. For instance, a data breach procedure is applicable within myTomorrows, in which is explained how to deal with (potential) data breaches. We will, for example, inform the competent supervisory authority and involved Individuals when this is required based on the applicable law. In addition, we have back-up and restore systems in place for the recovery of your personal data when necessary.
You can contact us if you want additional information about how we protect your personal data. Our contact details are stated at the end of this Privacy Statement.
7) To which countries will we transfer your personal data?
myTomorrows will in principle not process your personal data in countries outside the European Economic Area (EEA). In case your data is processed outside the EEA, the transfer is legitimized in the manner described below. You can find an overview of the EEA countries here.
Transfers outside the EEA.
The transfer of your personal data to a third party outside the EEA, can in the first place be legitimized based on an adequacy decision adopted by the European Commission, in which it decided that the (part within the) third country in question offers an adequate level of data protection. You can find an overview of the adequacy decisions that have been taken here.
If your personal data is transferred to a country outside the EEA for which there is no adequacy decision in place, we implement the relevant version of the Standard Contractual Clauses (SCCs) in the (prospective) contract with the party involved in the transfer. This is a standard contract approved by the European Commission to safeguard the protection of your personal data and in which the parties fill out the appendices to provide relevant information about the processing. Where appropriate, additional safeguards are taken.
You can contact us if you want additional information about the way in which we legitimize the transfer of your personal data to countries outside the EEA. Our contact details are stated at the end of this Privacy Statement.
8) How do we determine how long we retain your personal data?
1) Main rule
In general, myTomorrows does not keep personal data for longer than is necessary in relation to the purposes for which we process your personal data. For example, we erase data about job applicants four weeks after the end of the selection procedure, unless the applicant is subsequently employed by us or consents to an extended retention period of one year. We may apply (longer) standard retention periods if this is required to comply with minimum statutory retention periods. For example, data required for pharmacovigilance is retained for 10 years after termination of a treatment.
2) Exception: shorter retention period
If you successfully exercise one of your privacy rights, we may process your personal data for a shorter period, than as stated under the ‘main rule’ above. Please be referred to the ‘What are your privacy rights?’ section below, for more information on this.
3) Exception: longer retention period.
In certain situations, we process your personal data for a longer period of time than is necessary for the purpose of the processing. This is for instance the case when we process your personal data for a longer period of time due to:
- A retention obligation. To comply with a minimum retention period or other legal obligation to which myTomorrows is subject based on EU law or the law of an EU member state.
- A procedure. Personal data which is necessary in relation to legal procedures.
- The right to freedom of expression. When further processing of personal data is necessary to exercise the right to freedom of expression and information.
- Your (explicit) consent. For example: this is the case in the example regarding data about job applicants provided under the ‘main rule’ above.
You can contact us if you want more information about why and how long we process your personal data. Our contact details are stated at the end of this Privacy Statement.
9) What are your privacy rights?
Based on the GDPR you have various privacy rights. To what extent you can exercise these rights could depend on the circumstances of the processing, such as the way myTomorrows processes your personal data and the applicable legal ground. For more information about your privacy rights, you can visit the website of the European Commission here. We have included a summary of your privacy rights under the GDPR below.
1) Applicable privacy rights.
In relation to our processing of your personal data, the below privacy rights may apply.
- Right of access. This concerns the right to request access to your personal data. This enables you (or your legal representation) to receive a copy of the data we hold about you (but not necessarily the files themselves). We will then also provide further information concerning our processing of your personal data. For example, the purposes for which we process the data, how we obtained it, and with whom we may share it.
- Right to rectification. This concerns the right to request rectification of the personal data that we hold about you. This enables you (or your legal representation) to have any incomplete or inaccurate data corrected.
- Right to erasure. This concerns the right to request erasure of your personal data. This enables you (or your legal representation) to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (ii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honor such requests in all cases.
- Right to object. This concerns the right to object to the processing of personal data where we are relying on our legitimate interest as processing ground (see above). Insofar as the processing of the data takes place for direct marketing purposes, we will always honor an objection. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override the Individual’s interests, rights and freedoms or that are – for example – related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform you about our compelling interests and the balance of interests made.
- Right to restriction. The right to restriction of processing means that myTomorrows will continue to store personal data at the request of you (or your legal representation) but may in principle not do anything further with it. In short, this right can be exercised when myTomorrows does not have (or no longer has) any processing grounds for the processing of your personal data or if this is under discussion.
- Automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly impacts the Individual involved. In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
- Right to withdraw consent. This concerns the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to complaint. This concerns the right to lodge a complaint with a supervisory authority, in the EU Member State of the Individual’s habitual residence, place of work or where an alleged infringement took place. Please be referred to the website of the European Data Protection Board (EDPB) for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand.
2) How do you exercise your privacy rights?
You (or your legal representation) can exercise your privacy rights free of charge, by submitting your request to our Data Protection Officer by email at dataprotection@mytomorrows.com or by contacting us on the contact details provided at the bottom of this Privacy Notice.
3) Verification of your identity.
We may request specific information, such as a copy of your identification, to help us confirm your identity (or that of your legal representation) before we further respond to your privacy request.
4) Follow-up on your request(s).
We will provide information about the follow-up of the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months.
10) How can you contact us?
If you have any questions, concerns, or complaints, feel free to contact our Data Protection Officer at dataprotection@mytomorrows.com or at the contact details below.
Impatients N.V.
Attn: Data Protection Officer
Anthony Fokkerweg 61
1059 CP Amsterdam
The Netherlands
In addition, you may file a complaint with the Netherlands Data Protection Authority (DPA) if you believe that the processing of your personal data is unlawful. More information about filing a complaint with the Dutch Data Protection Authority (DPA) can be found here.
11) Changes
We may change this Privacy Statement from time to time to accommodate new technologies, industry practices, regulatory requirements or for other purposes. The latest version can always be consulted on our website.