Privacy policy

1. Context

1.1. Background

��Ҵ�ý (hereafter "Broken String") is committed to conducting business in compliance with applicable regulations that embrace high standards for data protection and appropriate data use. This document details Broken String's use of and protection of personal data, in particular health data processed by the INDUCE-seq platform and data security and personal data pertaining to Broken String's employees.

It describes the data protection principles outlined by the applicable regulations to stay compliant on an ongoing basis. This policy outlines key principles as described by the GDPR, UK GDPR and other applicable regulations. For communication with the data protection officer, please send an e-mail to: [email protected]

1.2. Personal Data Protection Regulations

Broken String ensures its data practices are in compliance with all applicable privacy and data protection regulations and statutes.

1.3. The European Regulations

1.3.1. The General Data Protection Regulation (GDPR):

Broken String commits to comply with Regulation (EU) 2016/679 for any data processing involving European Economic Area (EEA) personal data. This applies to activities carried out in the EEA, such as processing EEA residents' data through the INDUCE-seq platform even if operations take place outside the EEA.

1.3.2. The UK Data Protection Act 2018:

Broken String commits to comply with the Data Protection Act 2018, which incorporates the GDPR into UK legislation. This applies to activities related to processing UK residents' data for purposes such as Human Resources.

1.3.3. European Local Regulations:

Broken String commits to comply with any European local regulations (laws, guidelines, opinions) applicable in addition to the GDPR.

1.4. The Non-European Regulations

HIPAA: Broken String may be considered a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"). It treats Protected Health Information ("PHI") with HIPAA standards to ensure rigorous protection across its systems.
State Privacy Laws: Broken String commits to comply with any US state regulations applicable to its activities.

2. Definitions

GDPR: General Data Protection Regulation.
Data Breach: Any breach of security that can lead to the disclosure, alteration, unauthorized access, or destruction of personal data.
Data Subject: Any identified or identifiable natural person.
Personal Data: Any information to identify or rendering identifiable a data subject.
Processing: Any operation on personal data including collection, recording, organization, storage, use, disclosure, or destruction.

3. Scope

This Data Privacy Policy applies to all Broken String employees, consultants, and contractors involved in collecting, processing, handling, and reviewing personal data derived from health data or throughout the company's corporate lifecycle.

4. Responsibilities

Employees: Responsible for submitting all data subject requests to the DPO, reporting any data breach immediately to the DPO and IT team, and adhering to this policy.
DPO: Responsible for maintaining this policy and ensuring compliance by providing advice and taking necessary actions.
IT: Responsible for handling any Data Breach when notified and recording it for the DPO/QA team.

5. Privacy Principles

5.1. Lawfulness, Fairness, and Transparency:

Data is processed on a lawful basis (e.g., legitimate interests, consent, legal obligation). Transparency ensures individuals understand how their data is used.

5.2. Purpose Limitation:

Purposes for processing must be clearly defined from the outset. Data is only reused for compatible purposes.

5.3. Data Minimization:

Broken String only processes data that is necessary and proportionate to the purpose.

5.4. Data Accuracy:

Data must be kept accurate and up to date.

5.5. Storage Limitation:

Personal data is retained only for limited, necessary periods, distinguishing between "current use" and "archiving" for legal obligations.

5.6. Data Integrity and Confidentiality:

Security is ensured through technical (firewalls), organizational, and legal measures.

5.7. Accountability:

Compliance is documented through a Data Protection Officer, Records of Processing Activities (RoPA), and Impact Assessments (DPIA).

5.8. Privacy by Design and by Default:

Privacy is a standard from the start of any operation.

6. Employee Personal Data

This applies to HR data processed in the EU, UK, and USA.

6.1. Information Collected:

Identity data (name, DOB, SSN/NI number, passport), contact data, employment history, financial data (bank details, salary, tax status), health data (disability status, accident reports), and immigration data.

6.2. Special Categories:

May include health, racial/ethnic origin, or religious beliefs where permitted by law.

6.3. Usage:

Recruitment, payroll, legal compliance, health and safety, and monitoring IT system security.

6.4. Legal Basis:

Performance of a contract, legal obligation, or legitimate interests.

6.6. International Transfers:

Data may be transferred outside the EEA using Standard Contractual Clauses or other legal mechanisms to ensure protection.

7. Data Compliance Procedure

Appropriate GDPR information will be communicated to Data Subjects via agreements or notices.
Data Subject Requests must be addressed within one (1) month.
Any incident presenting a risk to individuals must be notified to the DPO within 72 hours.

8. Breach of Policy

Any employee who acts in breach of this policy may face disciplinary action, up to and including termination of employment.

9. Exceptions to this Policy

In certain circumstances, there may be an exception to this policy. All exceptions are subject to the prior approval of the CEO.

���Ҵ�ý

Privacy policy

��Ҵ�ý