Skip to main content

EU Privacy Notice

  1. Scope of this Privacy Notice

This Privacy Notice (“Notice”) provides information required by the General Data Protection Regulation (“GDPR”) and other applicable privacy laws on how Therakos UK Ltd. (“Therakos”, “we”, “us”) collects and uses information about you when you visit our website and use its functionalities.

This Notice also covers situations where we indicate that it applies, but it does not cover processing of your personal data as an employee, intern, consultant, contractor or applicant of Therakos.

As used in this Notice, “personal data” means any information that relates to, describes, or could be used to identify an individual, directly or indirectly, as also defined in the GDPR. This does not include anonymous data which does not relate to an identified or identifiable natural person and cannot be linked to or identify an individual.

Please read this Notice carefully to understand how we collect and further process personal data.

  1. Who is responsible for your personal data?

The controller for data processing is:

Therakos EMEA
College Business & Technology Park,
Cruiserath Road
Blanchardstown, Dublin 15,
Ireland

Or  toby.godrich@therakos.com

  1. Who can I contact about the processing of my personal data?

If you have any questions about the collection, processing or use of your personal data or about this Notice, you can contact our data protection officer at any time.

Personal/Confidential
Therakos UK Ltd.
Data Protection Officer
3 Lotus Park, The Causeway
Staines-Upon-Thames
TW18 3AG
England

Or via  toby.godrich@therakos.com

  1. Details about the processing of your personal data

The different subsections below provide relevant information about different processing activities that we undertake.

4.1 Providing you with our website, ensuring website security and ensuring website stability

Whenever you visit our website, we process personal data about you for the purposes of providing you with the website, ensuring website security and ensuring website stability (this includes whenever you use any of the website functionalities described in more detail within the sections below). The categories of personal data that will be collected, used and stored are: the IP address of the requesting computer; the requested webpage URL or other action; the machine name, browser used and the operating system of the requesting device; and the time and date of each request. The legal basis for this processing is our legitimate interests in promoting our business via a website in a secure and stable way. The recipients of the data will be Therakos group staff and our service provider, The Digital Parent Company Ltd, trading as UP THERE, DIGITAL 2-3 Tunsgate, Guildford, Surrey GU1 3QT, England), who assists us with this processing.

4.2 When you contact us

Whenever you contact us, we process personal data about you for the purpose of facilitating your contact with us. The categories of personal data that will be processed and the recipients of the personal data depend on the type of contact method:

  • For website contact form queries: Name, email address, phone number, country, content of messages, date, time, machine name, operating system. The recipients of the data will be Therakos group staff and our customer management system provider.
  • For email queries: Email address, name (if provided), content of emails. The recipients of this data w will be Therakos group staff, our email service provider and our customer management system provider.
  • For phone queries: Phone number, name (if provided), notes recorded on our customer relationship management system about the content of the call. The recipients of this data will be Therakos group staff, our email service provider and our customer management system provider.
  • For social media page queries: Name, content of messages, content of social media profile. The recipients of this data will be Therakos group staff, our email service provider and our customer management system provider and LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland).

Depending on your request, the legal basis for this processing are our legitimate interests in encouraging and addressing business queries (Art. 6(1)(f) GDPR) or the fulfillment of a contract or pre-contractual inquiries (Art. 6(1)(b) GDPR).

4.3 MyTherakos

If you choose to create a MyTherakos account, then the additional categories of personal data that will be collected, used and stored about you via our website will depend on the purposes that you use MyTherakos for:

Functionality Purpose Types of data
Registration Allow you to register for MyTherakos so that you can use the various functionalities described below. Title, names, email address, role/specialty, country of work, institution/hospital/place of work, preferred language, login password, communications preferences, whether you / your organisation have a CELLEX device, CELLEX System serial number.
My institute functionality Register for upcoming webinars, view attended webinars, access your Ask the Expert courses and Centre of Excellence bookings. Records of webinars, courses and other events that you have booked or attended.
Orders functionality Access your CELLEX™ System order information here. Take a look at your previous orders, view the status of your requests and check service orders. Serial numbers, pending orders, completed orders, next service due, ship to details, name of products ordered, quantity of products ordered, tracking information about products ordered, order dates, PO number details, lot numbers, service order numbers, status of service order, when next service is due.
E-Learning Take on demand courses and develop your knowledge around ECP Immunomodulation and the THERAKOS™ CELLEX™ Photopheresis System. Our e-learning is designed for HCPs using the CELLEX™ System in their healthcare facility. Your status of completion for each of our E-Learning modules (i.e. not started, in progress, complete).

The legal basis for the MyTherakos processing is the fulfillment of a contract to which you are party (Art. 6(1)(b) GDPR). The recipients of the data will be Therakos group staff and our service provider, The Digital Parent Company Ltd, trading as UP THERE, DIGITAL 2-3 Tunsgate, Guildford, Surrey GU1 3QT, England), who assists us with the processing.

4.4 reCaptcha

When you choose to register for MyTherakos then you must undertake a “reCAPTCHA” test. The purpose of this is so that we can recognise whether your MyTherakos application is in fact being made by a human and not a machine (a so-called “bot”). The categories of personal data that will be collected, used and stored are IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies, results of manual recognition processes (e.g. answering questions asked or selecting objects in images).The legal basis for this processing is our legitimate interest in protecting our website from abusive automated crawling and spam. The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For more details about reCaptcha, please see the following links:

Website: https://www.google.com/recaptcha

Privacy Notice: https://policies.google.com/privacy?hl=en

Right to object (via the Opt-Out-Plugin): https://tools.google.com/dlpage/gaoptout?hl=en

4.5 Providing social media pages

If you click on a link to a social media page of ours on our website, or otherwise access a social media page of ours, then personal data about you will be processed by the provider of that social media website so that our social media page can be provided to you. The categories of personal data that will be collected, used and stored are described in the privacy notice of the provider of the social media website (along with further information about the social media website provider’s own processing of your personal data). Our legal basis for this processing is our legitimate interest in publicising ourselves and our products/services by providing social media webpages. The table below provides further information about the social media sites we currently operate:

Link to our social media page Provider of social media website that receives your data Privacy notice of provider
LinkedIn LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) https://www.linkedin.com/legal/privacy-policy

4.6 Aggregated statistics about who is visiting our social media webpages

We process personal data for the purpose of creating aggregated statistics about who is visiting our social media webpages. The categories of personal data that will be collected and aggregated for this purpose will include data from any profile you have created on the social media provider’s website, how you have interacted with our social media webpage and further data as described in their privacy notice of the provider of the social media website. Unless consent has separately been requested, then the legal basis for the processing is our legitimate interest in understanding the demographics of those who interact with our social media webpages. The table below provides further information the social media sites for which we currently receive aggregated statistics:

Link to our social media page Provider of social media website that receives your data Privacy notice of provider
LinkedIn LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) https://www.linkedin.com/legal/privacy-policy

 

Please also note that LinkedIn is a joint controller with us for this processing and further information about that joint controller relationship can be found here.

4.7 Targeted advertising via social media providers

We process personal data for the purpose of targeted advertising via social media webpage provider(s). Whose personal data and the categories of personal data that will be collected and used for this purpose will depend on our choices through the provider about what types of people we would like to target. It could, however, include data from any profile you have created on the social media provider’s website, how you have interacted with our social media webpage and further data as described in their privacy notice of the provider of the social media provider. Unless consent has separately been requested, then the legal basis for the processing is our legitimate interest in advertising to people who are more likely to be interested in our products and services. The table below provides further information the social media providers that we currently target advertising through:

Link to our social media page Social media provider Privacy notice of provider
LinkedIn LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) https://www.linkedin.com/legal/privacy-policy

 

4.8 Cookies

We also process personal data via cookies. Cookies are small data files that are placed on your computer or mobile device when you visit a website.  Website owners can access the information on the cookies for a variety of reasons that can include enabling their websites to work (or work more efficiently), providing personalised content and advertising, and creating website analytics.

Details about the types of cookies we use can be found in the table below and further relevant details (i.e. about the specific cookies used and what their expiration period is) can be found within our cookie consent management platform widget, which can be accessed by clicking on the “COOKIE SETTINGS” link in the bottom left corner of our website.

Functionality Processing operations, purpose for processing and types of data processed Third party recipients Legal basis
Strictly necessary Strictly necessary cookies store information that must be able to be accessed in order to provide the website services you have requested. None Depending on the cookie’s purpose, the legal basis for this processing are our legitimate interests in providing website services (Art. 6(1)(f) GDPR) or the fulfillment of a contract or pre-contractual inquiries (Art. 6(1)(b) GDPR).
Functional Functionality cookies are used to remember preferences or as otherwise necessary for certain optional functionalities on the website. Vimeo.com, Inc. (see more information about them here).

 

 

Depending on the cookie’s purpose, the legal basis for this processing are our legitimate interests in providing website services (Art. 6(1)(f) GDPR) or the fulfillment of a contract or pre-contractual inquiries (Art. 6(1)(b) GDPR).
Analytics Analytics cookies are used to  record data about actions that you take on our website. The information about your actions will then be combined with information about the actions of others on the website (and possibly with other information about you and those other people that the third party analytics provider holds) to create aggregated statistics about how the website is being used and the types of people that are using it. We will then use those aggregated statistics to improve our website and our business more generally. Google (see more information about them here). Your separately requested consent (Art. 6(1)(a) GDPR).
Advertising Advertising cookies are also used to record data about actions that you take on our website. This data can be combined with data about your use of other websites that the providers of the cookies have access to. That allows a profile of your interests to be built by the providers of those cookies and for you to be shown more targeted ads on other websites (including possibly ads for our products and services). These cookies may also allow the success of the targeted advertising to be measured too. LinkedIn (see more information about them here). Your separately requested consent (Art. 6(1)(a) GDPR).

4.9 Direct email marketing

If you sign up for it, then we process personal data for the purpose of sending you direct email marketing about ourselves and our services / products. The categories of personal data that will be collected, used and stored are email address, record of your choices (including time stamp), record of marketing emails that have been sent to you. The legal basis for this processing is your separately obtained consent. The recipients of the data will be Therakos group staff and our service provider, The Digital Parent Company Ltd, trading as UP THERE, DIGITAL 2-3 Tunsgate, Guildford, Surrey GU1 3QT, England), who assists us with this processing.

4.10 Lawful requests

If necessary, we will process personal data for the purpose of complying with lawful requests. The categories of personal data that will be accessed, used and shared could be any that we hold depending on what is requested. The processing is necessary for compliance with a legal obligation to which we are subject. If the request is based on a non EU or EU member state law, then the lawful basis will be our legitimate interest in complying with lawful requests to which we are subject. The recipients of the data would be competent authorities and the data would be stored for as long as those competent authorities decide to store it.

4.11 Mergers, acquisitions etc.

If necessary, we will process personal data for the purpose of assisting with the selling, transferring, merging, divesting, restructuring, reorganising, or dissolving processes in relation to all or a portion of our business or assets. The categories of personal data that will be shared could be any that we hold depending on what is necessary in the circumstances. The legal basis for this sharing will be our legitimate interests in undertaking those types of processes, unless the sharing is necessary for the for the performance of a contract to which you are party (in which case that will be the legal basis for the sharing). The recipients of the data would be the entities involved in these processes and the data would be stored for as long as those entities decide to store it.

4.12 Technical IT support

If necessary, we will process personal data for the purpose of undertaking technical IT support. The categories of personal data that will be accessed and used could be any that we hold depending on what is necessary in the circumstances. The legal basis for this sharing will be our legitimate interests in ensuring that our systems function the way they should. The recipients of the data are IT service providers and the data will not generally be stored for these purposes.

4.13 IT security

If necessary, we will process personal data for the purpose of IT security. The categories of personal data that will be accessed and used could be any that we hold depending on what is necessary in the circumstances. The legal basis for this sharing will be our legitimate interests in maintaining appropriate IT security. The recipients of the data are IT service providers and the data will not generally be stored for these purposes.

4.14 Legal, accounting, compliance or emergency matters

If necessary, we will process personal data for the purpose of assisting with legal, accounting, compliance or emergency matters. The categories of personal data that will be accessed, used and shared could be any that we hold depending on what is necessary in the circumstances. The legal basis for this processing will be our legitimate interests in undertaking processing that is necessary for legal, accounting, compliance or emergency purposes. The recipients of the data in these circumstances will be professional advisers and competent authorities. The data will be stored for as long as they decide to store it.

  1. Who will we share your personal data with

In addition to the sharing of personal data that is described in the sections above, we will also share data within the Therakos group of companies and with any service providers, as far as this is necessary for the assistance with the processing purposes described above.

  1. International data transfers

Therakos is a part of a global organization, with legal entities, business practices, and technical systems that operate across borders. Your personal data may be collected, transferred to, and stored by us, our subsidiaries and/or third-party service providers that are in other countries. Therefore, your personal data may be transferred and processed outside your jurisdiction and in countries that may not provide for the same level of data protection as your jurisdiction. Where European Economic Area and UK applicable law requires us to use an international data transfer mechanism, we rely on adequacy decisions as adopted by the European Commission or UK government (as relevant), the Standard Contractual Clauses issued by the European Commission or UK government (as relevant), or pursuant to established derogations for specific situations.

For more information on the appropriate international data transfer mechanisms that we use or a copy thereof, please contact our data protection officer: toby.godrich@therakos.com

  1. How long we retain your personal data

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We will retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

  1. How we protect your personal data

We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing.

  1. Your Rights

You have certain rights regarding our processing of your personal data under applicable data protection laws. This section describes these rights and how you can exercise them. Please note these laws may provide limitations or exceptions that apply to these rights. We have described these rights generally, without noting all applicable jurisdictions, limitations, or exceptions. When you make a request to exercise any of these rights, we may provide more detailed information regarding any exceptions or limitations that apply.

  • Right to know and to access: You have the right to ask us to confirm whether or not we process your personal data, the categories of personal data we have collected and the sources from which we collect it, our purposes for collecting your personal data, the categories of third parties to whom we disclose your personal data, and the specific pieces of personal data we have collected about you. You have the right to request a copy of your personal data and supplementary information.
  • Right to correction/rectification: You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete information you believe is incomplete.
  • Right to erasure/deletion: You have the right to request that we erase or delete your personal data, under certain circumstances and subject to certain exceptions.
  • Right to restriction of processing: You have the right to restrict the processing of your personal data, under certain circumstances, including, depending on applicable law and the jurisdiction in which you reside or are located, opting out of disclosures of personal information to an unaffiliated third party who does not serve as our agent or service provider, if any, or use of personal information for a purpose other than the purpose for which it was originally collected or subsequently authorized if any such use occurs.
  • Right to data portability: You have the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format that allows you to transmit the data to another controller without hindrance. You also have the right to request that we transmit this data directly to another controller.
  • Right to withdrawal of consent: In the event our processing of your personal data is based on your consent, you may withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to object to processing. You have the right to object to the processing of your personal data at any time, under certain circumstances.
  • Right to lodge a complaint with a supervisory authority: You have the right make a complaint about our processing of your personal data to a relevant data protection supervisory authority. We would, however, appreciate the opportunity to address your concerns before you do so. The supervisory authority responsible for us is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

To exercise any of the above rights or if you have any questions about this Notice, please use the contact details above.

  1. Automated decision-making and profiling

We do not use automated decision-making or undertake profiling via our website.

  1. Changes and updates to this Notice

We ask you to inform yourself regularly about the content of our Notice as we will amend it from time to time to address changes to the data processing carried out by us, or as required by applicable laws. make this necessary.

The current status of this Notice is active as of: 1 December 2024