Effective January 1, 2020
1. Types of Personal Information We Collect
The following list describes the general categories of Personal Information we have collected or otherwise received in the past 12 months along with examples of some of the types of information within these categories that may qualify as Personal Information and which we may have collected or otherwise received. It also describes the categories of such information we may continue to collect and our uses of it. The examples are not intended to be comprehensive, and there may be overlap between categories.
We may also receive other Personal Information that you or others provide us or store on our systems, such as in communicating or otherwise interacting with us, providing a reference, or attending an event with us.
2. Sources of Personal Information
In the ordinary course, we collect or otherwise receive the categories of Personal Information above from a variety of sources, including from you directly or from someone who knows you or through automatic collection on our websites. In particular, we may obtain Personal Information: from an individual data subject or a relation of the data subject, such as from personal or business contacts of clients and investors (e.g., financial institutions, advisors, consultants, and other intermediaries or representatives) or other data subjects (e.g., recruiters or references for job applicants); other business contacts of OrbiMed personnel (e.g., financial institutions, service providers, consultants or advisors); research and subscription services; publicly-available sources; governmental agencies, supervisory authorities, and tax authorities; background check companies, credit agencies, or fraud prevention and detection agencies; automated collection on our websites (including through cookies), applications, devices, systems, and networks; or from business and other records legally available to us.
3. Uses of Personal Information
With respect to each of the categories of Personal Information above, we may collect and use the information for the following purposes:
We rely upon grounds permitted under applicable law to process your Personal Information. Such grounds include instances where you have given your consent and cases where your consent is not required under applicable law, such as: where we are required to comply with a legal obligation; where necessary for the performance of a contract entered into with you; or where we (or a third party) determine that it is necessary for our legitimate interests, i.e., in operating and managing our business, including, in addition to the purposes noted above, for other legal, personnel, administrative, and management purposes; the prevention and detection of crime; and any other purpose where we or a third party have determined that you have a reasonable expectation that we or a third party would collect or use your Personal Information for such purpose. If you are an individual in the European Economic Area (the “EEA”) / United Kingdom (the “UK”), you have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfil such requests.
4. Consequences of Failing To Provide Personal Information
As a regulated financial services firm, we are subject to legal and regulatory obligations that may require us to collect and store your Personal Information, such as the requirements to comply with the applicable law on the prevention of financial crime, tax and regulatory reporting, or the rules on recording and monitoring of communications (as described below). We may also need to collect and use your Personal Information for the purposes of entering into or performance of a contractual arrangement.
There may be various consequences to refusing to provide us with your Personal Information, depending on the purpose for which the information is required. For instance, we may not be able to communicate with you, we may need to terminate any service or other contractual arrangement between us, or—where we have a reasonable suspicion of illegal activity—we may be required to make a report to regulatory or enforcement agencies.
5. Sharing Personal Information
We have disclosed for a business purpose in the last 12 months, and may continue to disclose for a business purpose, each of the categories of Personal Information in Section 1 above.
We may share Personal Information with the following types of third parties:
6. Cookies and Analytics
In particular, we use Google Analytics to evaluate the use of our websites. To get more information about the Personal Information Google collects through this service, and to utilize Google’s opt-out browser add-on, as may be amended from time to time, please refer to Google’s webpages at: https://policies.google.com/privacy, https://policies.google.com/technologies/partner-sites, and https://tools.google.com/dlpage/gaoptout/.
7. International Data Transfers
We may process your Personal Information in the United States, the EEA / UK, and other countries outside the jurisdiction where it was collected that may not offer the same level of data protection as that afforded by the jurisdiction in which you are present. We will process Personal Information (or procure that it be processed) in accordance with the requirements of applicable law, which may include having appropriate contractual undertakings in legal agreements with service providers who process Personal Information on our behalf. Further information in relation to the transfer of Personal Information (including, to countries outside of the EEA / UK) is available on request using the contact details set out below.
8. Retention of Personal Information
We will generally keep Personal Information about you for as long as necessary in relation to the purpose for which it was collected, or for such longer period if required under applicable law or necessary for the purposes of our other legitimate interests.
The applicable retention period will depend on various factors, such as any legal obligation to which we or our service providers are subject, as well as on whether you decide to exercise your right to request the deletion of your Information from our systems. At a minimum, Personal Information about you will generally be retained for the entire duration of any business relationship we may have with you, and generally for a minimum period of five years after the end of the year in which any such relationship is terminated.
We will, from time to time, review the purpose for which we have collected Personal Information about you and decide whether to retain it, update it, or securely delete it, if the Personal Information is no longer required.
Our websites are not directed to persons under age 18 and we do not sell the Personal Information of such individuals.
10. Security Measures
We aim to protect Personal Information by implementing and maintaining reasonable security, such as by using reasonable organizational, technological, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We take measures, which are at least as strict as the law requires, to safeguard your Personal Information, but we cannot guarantee its absolute security. Please use caution any time you provide information over the internet.
11. Do Not Track Signals
At this time, our websites do not respond to browsers and do not track signals.
12. Rights Regarding Personal Information
A. Data Rights in Certain Jurisdictions
Persons in certain jurisdictions (e.g., the EEA / UK) have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise. These include:
B. California Residents’ Rights
Please note that these rights under the CCPA do not apply to information about OrbiMed investors that is covered by the U.S. Gramm-Leach-Bliley Act and implementing regulations, and the California Financial Information Privacy Act, laws which generally apply to nonpublic personal information about individuals who obtain financial products or services from us primarily for personal, family, or household purposes. At this time, the CCPA also includes exemptions from certain of its provisions for information about our personnel (including employees, directors, officers, and contractors) and job applicants, as well as certain information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Much of the personal information OrbiMed maintains is subject to these exemptions.
For purposes of this section of our Policy, “personal information” is limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
Right to request disclosure of personal information we collect and share about you
If you are a California resident whose personal information is covered by the CCPA, you may submit a request to us for the following information:
You can also submit a request to us for the following information:
Our responses to such requests will cover the 12-month period preceding our receipt of the request.
Right to request the deletion of personal information we have collected from you
You may also submit a request that we delete personal information about you. If you make such a request, after verifying the request, we will delete the personal information, except for situations where specific information is necessary for us to: provide you with a good or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. We may also retain information where another exception to the deletion requirements in Cal. Civ. Code § 1798.105(d) applies. For instance, the law permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
Sales of personal information
We do not and will not sell your personal information to third parties. Likewise, we have not sold your personal information in the last 12 months.
How to exercise your California rights
To exercise your right to request the disclosure of your personal information that we collect or share, or to ask us to delete your information, either click here or contact us at (866) 210-8234. Depending on the nature of your request, we may ask you for information to verify your request and identity and a declaration attesting to your identity, signed under penalty of perjury. We will respond to requests for access or deletion as soon as practicable and, in any event, generally not more than within 45 days after receipt of your request. We may extend this period to 90 days in some cases. Please note that you may designate an agent to submit requests on your behalf. Requests can be submitted on behalf of yourself individually or on behalf of your household, provided that we can verify that the request comes from each member of your household.
We are committed to complying with the law. If you exercise any of the rights explained in this Policy, we will continue to treat you fairly.
13. Third-Party Links
15. How To Contact Us
1As used herein, "affiliate" means an entity that controls, is controlled by, or is under common control with another entity.
2"Personal data" is information covered by the EU General Data Protection Regulation (the “GDPR”) in circumstances where the GDPR applies.
3This term refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
4This Policy is not intended to cover information that we collect, other than through this website, about our employees.
5Please note that we do not seek to collect information on characteristics of protected classifications from job applicants.