Effective and last updated: December 5, 2017

Chiasma, Inc. (“Chiasma”) understands the importance of privacy and is committed to protecting the privacy of Personal Information (defined below) that it obtains regarding business partners, healthcare professionals, participants in clinical trials, visitors to its websites, and others. We comply with all applicable laws and regulations when collecting and using Personal Information.

This Privacy Shield Policy describes Chiasma’s policies and procedures for using and safeguarding Personal Information, for managing our relationships with third parties who may have access to Personal Information, and for complying with applicable data protection laws. This Privacy Shield Policy also describes how individuals can contact us to update their Personal Information or express their preferences about how we process their Personal Information.

In furtherance of its commitment to the protection of Personal Information, Chiasma has certified that it complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce (“Privacy Shield”) regarding the collection, use, and retention of Personal Information originating from European Union member countries. In particular, Chiasma has certified that it adheres to the Privacy Shield principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability as well as applicable supplemental principles. To learn more about the Privacy Shield and to view our certification page, please visit https://www.privacyshield.gov/.

We may amend this Privacy Shield Policy at any time and will provide notice of any material changes on this website, by email, or by some other method.

DEFINITIONS

Personal Information means data that (i) is transferred from the European Union to the United States in reliance on the Privacy Shield, (ii) is recorded in any form, (iii) is about an identified or identifiable individual, and (iv) can be linked to that individual. Personal Information does not include key-coded research data if Chiasma does not receive the key that allows the subjects of the data to be identified.

Sensitive Information means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or the sex life of the individual or any other Personal Information received from a third party where the third party identifies and treats the information as sensitive.

HOW WE COLLECT PERSONAL INFORMATION

In the course of our ordinary business activities, Chiasma may collect Personal Information from our business partners and other commercial entities, healthcare professionals, participants in clinical trials, and others.

We collect only Personal Information that is necessary for our legitimate business purposes or to fulfill our legal obligations. This information may include, for example, name, age, contact details, employment history, education history, occupation or business details (such as areas of specialization), and/or medical information.

Chiasma avoids collecting Sensitive Information. However, in some instances, such as in the context of clinical trials, Chiasma may need to collect Sensitive Information, including information regarding medical history, diagnoses, treatments, and medications.

HOW WE USE AND SHARE PERSONAL INFORMATION

General Principles

Chiasma is committed to using reasonable commercial measures to ensure that its collection, use, disclosure, and maintenance of Personal Information complies with all applicable laws and regulations, this Privacy Shield Policy, the Privacy Shield, and the following principles. Personal Information will be:

  • Fairly and lawfully collected, used, disclosed, and maintained;
  • Processed only for the specified and lawful purposes for which it was collected;
  • Adequate, relevant, and not excessive for the purposes for which it was collected;
  • Accurate and, where necessary, kept up-to-date;
  • Not kept longer than necessary for the purposes for which it was collected;
  • Appropriately protected against unauthorized, inadvertent, or illegal access, use, or disclosure through administrative, physical, and technical safeguards; and
  • Neither transferred to, nor accessed by, any person in a country or jurisdiction which has inadequate protections in place (as determined by Chiasma) without additional contractual or other safeguards.

Notice

In the event that Chiasma collects Personal Information from an individual, Chiasma will notify the individual, through this Privacy Shield Policy or otherwise, of the following: (i) the types of Personal Information that it collects about the individual, (ii) the purposes for which it collects and uses the Personal Information, (iii) the type or identity of third parties to which it discloses the Personal Information and the purposes for which it does so, and (iv) the location of this Privacy Shield Policy, which contains further information on the individual’s rights and how to contact Chiasma with any inquiries or complaints. Notice will be provided in clear and conspicuous language at the time the Personal Information is collected or as soon as reasonably practicable thereafter (and in any event before Chiasma uses the information for a purpose other than that for which it was originally collected or processed or discloses it for the first time to a third party other than an agent). Notice follows for certain classes of individuals whose Personal Data we may in some instances receive.

  • Notice for Patients Participating in Our Clinical Trials. We collect various data about patients participating in our clinical trials, including data regarding medical history, diagnoses, treatments, and medications. The data we collect is further described in the informed consent form signed by each participant. We use these data for the conduct of the applicable clinical trial, for related research purposes, for activities related to the clinical development of our product candidates, for pharmacovigilance activities, to comply with applicable laws and regulations, and as otherwise permitted by the applicable informed consent form. In general, these data are coded and do not constitute Personal Information.
  • Notice for Healthcare Professionals, Researchers, and Staff Participating in Our Clinical  Trials and Other Research and Development Activities. We collect professional and related Personal Information about healthcare professionals, researchers, and staff participating in our clinical trials and other research development activities, such as name, age, contact details, employment history, education history, and occupation or business details (such as areas of specialization). We use this Personal Information to administer our clinical trials and other research and development activities, for pharmacovigilance activities, for other legitimate business purposes, and to comply with applicable laws and regulations.
  • Notice for Healthcare Professionals Who Treat Diseases that Are the Focus of Our  Research or Products. We collect professional and related Personal Information about healthcare professionals who treat diseases that are the focus of our research or products, such as name, contact details, and occupation or business details (such as areas of specialization). We use this Personal Information to identify clinicians who may be knowledgeable about a particular disease, for pharmacovigilance activities, for other legitimate business purposes, and to comply with applicable laws and regulations.
  • Notice for Vendors and Business Partners, Patients, and Members of the General Public. We collect general contact and related Personal Information about employees of our vendors and business partners, patients with a particular disease, and members of the general public, such as name, email address, mailing address, and email or mailing preferences. We use this Personal Information for legitimate business purposes, for marketing purposes, to conduct market research, to participate in community activities, and to comply with applicable laws and regulations.
  • Notice for Visitors to Our Websites. For further information on how Chiasma uses and discloses Personal Information collected through our website, such as through the “Contact” page of our website, see our Website Privacy Policy, available at http://www.chiasmapharma.com.

We may transfer Personal Information to business partners, vendors and subcontractors, regulatory authorities, law enforcement agencies, and other third parties in furtherance of the foregoing activities or as otherwise required by applicable laws and regulations. For example, Chiasma may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or other law enforcement requirements.

Choice

We offer individuals the opportunity to choose (opt-out) whether their Personal Information is (i) to be disclosed to a third party, other than to an agent performing tasks on our behalf and pursuant to our instructions, or (ii) to be used for a purpose that is materially different than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Information, we obtain affirmative, express consent (opt-in) from the subject of the information before disclosing their Sensitive Information to a third party or using their Sensitive Information for a purpose other than that for which it was originally collected or subsequently authorized with the individual’s consent. An individual who wishes to limit the use or disclosure of their Personal Information should contact Chiasma at the email or mailing address below.

Onward Transfers

Prior to disclosing Personal Information to a third party, other than to an agent performing tasks on our behalf and pursuant to our instructions, Chiasma will notify the relevant individual of the disclosure and allow the individual the choice to opt-out of the disclosure. We will ensure that any third party to which Personal Information is disclosed has agreed to use the data for only limited and specified purposes, provides the same level of protection as required by the Privacy Shield, and otherwise makes the commitments required by the Privacy Shield. Chiasma is potentially liable for onward transfers of Personal Information to these third parties.

Data Security

Chiasma takes reasonable and appropriate measures to protect Personal Information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Data. We have put in place appropriate administrative, physical, and technical safeguards in furtherance of this commitment.

Data Integrity and Purpose Limitation

We only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, we take reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current. We retain Personal Information in a form that identifies or could identify the individual for only as long as required by its intended purpose or for scientific research or statistical analysis.

Access

We allow individuals to access their Personal Information and allow individuals to correct, amend, or delete Personal Information that is inaccurate or has been processed in violation of the Privacy Shield, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated. An individual who wishes to receive access to, or to correct, amend, or delete, their Personal Information should contact Chiasma at the email or mailing address below.

Recourse, Enforcement, and Liability

We use a self-assessment approach to assure compliance with the Privacy Shield and this Privacy Shield Policy and periodically verify that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and accessible and in conformity with the Privacy Shield.

We encourage individuals who have an inquiry or complaint regarding Chiasma’s processing or transfer of their Personal Information to contact Chiasma at the email or mailing address below. We will investigate and attempt to resolve any inquiries or complaints regarding our use and disclosure of Personal Information in accordance with the Privacy Shield. For inquires and complaints that cannot be resolved through our internal processes, Chiasma has engaged an independent dispute resolution service based in the United States, called JAMS, and this independent dispute resolution service is offered to individuals free of charge. Individuals can contact JAMS to open a Privacy Shield dispute by following the instructions at https://www.jamsadr.com/eu-us-privacy-shield. Under certain circumstances, individuals may have a right to invoke binding arbitration to resolve a dispute with Chiasma regarding the processing or transfer of their Personal Information under the Privacy Shield.

Chiasma is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission and other United States regulatory bodies.

CONTACT INFORMATION

If you have questions regarding this Privacy Shield Policy or Chiasma’s processing or transfer of your Personal Information or would like to exercise any of your rights described above, please contact us by mail or e-mail at the following addresses:

Chiasma, Inc.
Attn: Drew Enamait, VP Finance & Administration
460 Totten Pond Road
Suite 530
Waltham, MA 02451
USA
drew.enamait@chiasmapharma.com

CHANGES TO THIS POLICY

This Privacy Shield Policy may be amended by Chiasma from time to time in a manner that is consistent with the requirements of the Privacy Shield. When this Privacy Shield Policy is amended, the “Effective Date” date at the top of this document will be updated accordingly. Any material changes to this Privacy Shield Policy will be posted on Chiasma’s website and available to the general public through a hyperlink on www.chiasmapharma.com.