Last Updated December 16, 2021
As used in this Policy, the term “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
To the extent that data protection laws in other jurisdictions are applicable, including but not limited to the EU General Data Protection Regulation 2016/679, including as transposed into UK law by virtue of the EU-UK Brexit Withdrawal Agreement (the "GDPR"), and China’s Personal Information Protection Law (the “PIPL”), the term “Personal Information” shall have the meaning as defined under the applicable laws.
For purposes of the GDPR, to the extent applicable, OrbiMed acts as controller for the personal information that is processed when you access our websites or related services. This Policy applies to individuals only and may be changed at any time.
1. Types of Personal Information We Collect
The following list describes the general categories of Personal Information we have collected or otherwise received in the past 12 months along with examples of some of the types of information within these categories that may qualify as Personal Information and which we may have collected or otherwise received. It also describes the categories of such information we may continue to collect and our uses of it.
- Personal identifiers, such as name, signature, postal address, email address, phone number, fax number, account name, Social Security number, tax identification number, photographs, IP address, device ID, and copies of identification documents (e.g., passport, driver’s license)
- Demographic and association-related information, such as age and date of birth, place of birth, residency information, family member information, authorized signatories, and information on parties associated with an account
- Commercial and financial information, such as records of property, products, or services purchased, obtained, or considered; other investing or consuming histories or tendencies; information on investments, assets, expenses, accounts, net worth, tax information, holdings, account balances, transaction history, utility bills, bank statements, credit history, and trust and estate planning documents
- Internet or other electronic activity information, such as information regarding an individual’s interaction with a website or application, browsing history, and calls and emails sent and received
- Audio and visual information, such as photographs, video footage from CCTV, and voicemail
- Professional background information, such as references, resumes, information on positions held, and military service history
We may also receive other Personal Information that you or others voluntarily provide to us when communicating or otherwise interacting with us, providing a reference, or attending an event with us.
2. Sources of Personal Information
In the ordinary course, we collect or otherwise receive the categories of Personal Information above from a variety of sources, including from you directly or from someone who knows you or through automatic collection on our websites. In particular, we may obtain Personal Information: from an individual data subject or a relation of the data subject, such as from personal or business contacts of clients and investors (e.g., financial institutions, advisors, consultants, and other intermediaries or representatives); other business contacts of OrbiMed personnel (e.g., financial institutions, service providers, consultants or advisors); research and subscription services; publicly-available sources; governmental agencies, supervisory authorities, and tax authorities; background check companies, credit agencies, or fraud prevention and detection agencies; automated collection on our websites (including through cookies), applications, devices, systems, and networks; or from business and other records legally available to us.
3. Uses of Personal Information
With respect to each of the categories of Personal Information above, we may collect and use the information for the following purposes:
- Administering the relationship between and serving investors and clients
- Business operations, including but not limited to: securing credit or financing; managing administrative and operational matters; administering our service provider, contractor, and vendor relationships and services; auditing; conducting research and analysis; designing and improving operations, products, and services; operating our customer service and respond to inquiries; operating our website; and managing risk
- Marketing our products and services
- Complying with applicable legal or regulatory requirements and OrbiMed policies and contracts, responding to valid legal requests, assessing and investigating compliance, and other legitimate business and commercial purposes
- Monitoring, managing, and securing resources, property, and personnel
- Enforcing or defending our rights
- Sharing with third parties in connection with a potential acquisition of all or part of our assets or interests in our business, or with third parties that may succeed us in carrying on our business or to which our business is transferred
We rely upon grounds permitted under applicable law to process your Personal Information. For purposes of the GDPR where it is applicable, such grounds include, exceptional circumstances, your consent and in case your consent is not required under applicable law, our requirement to comply with a legal obligation; where necessary for the performance of a contract entered into with you or to take steps prior to entering into a contract with you; where we (or a third party) determine that it is necessary for our or the third party’s legitimate interests, i.e., in operating and managing our business and website, including, in addition to the purposes noted above, for other legal, personnel, administrative, and management purposes; the prevention and detection of crime; and any other purpose where we or a third party have determined that you have a reasonable expectation that we or a third party would collect or use your Personal Information for such purpose. For purposes of China’s PIPL where it is applicable, such grounds include your consent, and in case your consent is not required under applicable law, where necessary for performance of a contract entered into with you; where necessary to perform a statutory responsibility or statutory obligation; where necessary for responding to a public health emergency or for protecting life, health or property safety of a natural person in the case of an emergency; for processing Personal Information within a reasonable scope to carry out news reporting or supervision by public opinions for public interest purposes; and processing publicly available Personal Information within a reasonable scope.
If you are in the European Economic Area (the “EEA”) or the United Kingdom (the “UK”) or China, you may have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfil this request in all instances. Please contact us using the contact information below to receive more information, including with respect to the balancing test we have performed in this regard.
4. Consequences of Failing To Provide Personal Information
As a regulated financial services firm, we are subject to legal and regulatory obligations that may require us to collect and store your Personal Information, such as the requirements to comply with the applicable law on the prevention of financial crime, tax and regulatory reporting, or the rules on recording and monitoring of communications (as described below). We may also need to collect and use your Personal Information for the purposes of entering into or performance of a contractual arrangement.
5. Sharing Personal Information
We have disclosed for a business purpose in the last 12 months, and may continue to disclose for a business purpose, the following categories of Personal Information to the following categories of third parties:
|Categories of Consumers’ Personal Information
||Categories of Third Parties With Which We Shared Personal Information for a Business Purpose
|Personal identifiers such as name, signature, postal address, email address, phone number, fax number, account name, Social Security number, tax identification number, photographs, copies of identification documents (e.g., passport, driver’s license), and other similar identifiers
||Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, telecommunications and information technology (“IT”) providers, advisors (including but not limited to tax and legal and compliance advisors), accountants and consultants
To any natural or legal person as directed by you
|Demographic and association-related information: age and date of birth, place of birth, residency information, family member information, authorized signatories, and information on parties associated with an account
Commercial and financial information: records of property, products, or services purchased, obtained, or considered; other investing or consuming histories or tendencies; information on investments, assets, expenses, accounts, net worth, tax information, holdings, account balances, transaction history, utility bills, bank statements, credit history, and trust and estate planning documents
|Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, IT providers, advisors (including but not limited to tax and legal and compliance advisors), accountants and consultants
To any natural or legal person as directed by you
Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, IT providers, advisors (including but not limited to tax and legal and compliance advisors), accountants and consultants
To any natural or legal person as directed by you
|Professional background information: references, resumes, information on positions held, and military service history
||Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, IT providers, advisors (including but not limited to tax and legal and compliance advisors), accountants and consultants
To any natural or legal person as directed by you
|Internet or other electronic network activity information: information regarding an individual’s interaction with a website or application, browsing history, and calls and emails sent and received
||Service providers that provide data security services and cloud-based data storage; host our websites and assist with other IT-related functions; provide website hosting, webcast and teleconference services; advertise and market our products; and provide analytics information
|Audio and visual information: photographs, video footage from CCTV
||Service providers that provide security services; maintain our voicemail platform
Additional Information About How We May Share Personal Information
We may also share Personal Information with the following types of third parties:
- Third parties (including regulators and courts) to comply with legal or regulatory obligations or in response to valid legal requests, including to the extent required by law, regulation, subpoena or court order or otherwise in connection with a judicial, administrative or governmental proceeding or as requested by any governmental agency or regulatory authority; to detect and protect against fraud or any technical or security vulnerabilities; or to respond to an emergency or otherwise to protect the rights, property, safety, or security of our business, third parties, or the public
- Any natural or legal person, as directed by you
- Any natural or legal person to whom we may in the future transfer any of our rights or obligations under any agreement, or in connection with a sale, merger or consolidation of our business or other transfer of our assets, whether voluntarily or by operation of law, or who is otherwise deemed to be our successor or transferee
To the extent the PIPL is applicable, please contact us via PrivacyPolicy@OrbiMed.com
and we will separately disclose relevant information as required under the PIPL about third-party data controllers to whom we share your Personal Information, and we will also perform other obligations under the PIPL to protect the security of your Personal Information.
6. Cookies and Analytics
In particular, we use Google Analytics to evaluate the use of our websites. To get more information about the Personal Information Google collects through this service, and to utilize Google’s opt-out browser add-on, as may be amended from time to time, please refer to Google’s webpages at: https://policies.google.com/privacy, https://policies.google.com/technologies/partner-sites, and https://tools.google.com/dlpage/gaoptout.
7. International Data Transfers
Because of the international nature of our business, we may process your Personal Information in the United States, the EEA / UK, and other countries outside the jurisdiction where it was originally collected that may not offer the same level of data protection as that afforded by that jurisdiction. We will only process and transfer your Personal Information (or procure that it be processed and transferred) in accordance with the requirements of applicable law, which may include having appropriate contractual undertakings in legal agreements with service providers who process Personal Information on our behalf. Individuals in the EEA and UK may have a right to request a copy of these agreements using the contact details set out below. Where there is a direct transfer from you as an individual to us, we rely on the household exemption where such is available under applicable law such as the GDPR. Further information in relation to the transfer of Personal Information (including, to countries outside of the EEA / UK) is available on request using the contact details set out below.
To the extent the PIPL is applicable, please contact us via PrivacyPolicy@OrbiMed.com and we will separately disclose relevant information as required under the PIPL about the international data transfers, and we will also perform other obligations under the PIPL to protect the security of your Personal Information.
8. Retention of Personal Information
We will generally keep Personal Information about you for as long as necessary in relation to the purpose for which it was collected, or for such longer period if required under applicable law or necessary for the purposes of our other legitimate interests.
The applicable retention period will depend on various factors, such as any legal obligation to which we or our service providers are subject, as well as on whether you decide to exercise your right to request the deletion of your Information from our systems (to the extent such right exists in the jurisdiction in which you reside). At a minimum, Personal Information about you will generally be retained for the entire duration of any business relationship we may have with you, and generally for a minimum period of five years after the end of the year in which any such relationship is terminated.
We will, from time to time, review the purpose for which we have collected Personal Information about you and decide whether to retain it, update it, or securely delete it, if the Personal Information is no longer required.
Our websites are not directed to persons under age 18 and we do not sell the Personal Information of such individuals.
10. Security Measures
We aim to protect Personal Information by implementing and maintaining reasonable security, such as by using reasonable organizational, technological, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We take measures, which are at least as strict as the law requires, to safeguard your Personal Information, but we cannot guarantee its absolute security. Please use caution any time you provide information over the internet.
11. Do Not Track Signals
At this time, our websites do not respond to browsers and do not track signals.
12. Rights Regarding Personal Information
A. Data Rights in Certain Jurisdictions
Persons in certain jurisdictions (e.g., the EEA / UK, China) may have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise subject to the limitations under applicable law such as the GDPR and the PIPL. These include:
- To request access to your Personal Information
- To request rectification of inaccurate or incomplete Personal Information
- To request erasure of your Personal Information (a “right to be forgotten”)
- To restrict the processing of your Personal Information in certain circumstances
- To object to our use of your Personal Information, such as where we have considered such use to be necessary for our legitimate interests and/or in the case of direct marketing activities
- Where relevant, to request the portability of your Personal Information to a third party
- Where you have given consent to the processing of your Personal Information, to withdraw your consent
- To lodge a complaint with the competent supervisory authority
B. California Residents’ Rights
Please note that these rights under the CCPA do not apply to information about OrbiMed investors that is covered by the U.S. Gramm-Leach-Bliley Act and implementing regulations, and the California Financial Information Privacy Act, laws which generally apply to nonpublic personal information about individuals who obtain financial products or services from us primarily for personal, family, or household purposes. The CCPA also includes exemptions from certain of its provisions for information about our personnel (including employees, directors, officers, and contractors) and job applicants, as well as certain information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Much of the personal information OrbiMed maintains is subject to these exemptions.
For purposes of this section of our Policy, “personal information” is limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
Right to request disclosure of personal information we collect and share about you
If you are a California resident whose personal information is covered by the CCPA, you may submit a request to us for any or all the following information:
- The categories of personal information we have collected about you
- The categories of sources from which we collected the personal information
- The business or commercial purposes for which we collected or sold the personal information
- The categories of third parties with which we shared the personal information
- The specific pieces of personal information we collected
You can also submit a request to us for the following information:
- The categories of personal information (if any) that we have sold about you, the categories of third parties to which we sold that information, and the category or categories of personal information sold to each third party
- The categories of personal information that we disclosed about you for a business purpose
Our responses to such requests will cover the 12-month period preceding our receipt of the request.
Right to request the deletion of personal information we have collected from you
You may also submit a request that we delete personal information about you. If you make such a request, after verifying the request, we will delete the personal information, except for situations where specific information is necessary for us to: provide you with a good or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. We may also retain information where another exception to the deletion requirements in Cal. Civ. Code § 1798.105(d) applies. For instance, the law permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
Sales of personal information
We do not and will not sell your personal information to third parties. Likewise, we have not sold your personal information in the last 12 months and have not sold the personal information of minors under 16 years of age.
How to exercise your California rights
To exercise your right to request the disclosure of your personal information that we collect or share, or to ask us to delete your information, either click here or contact us at (866) 210-8234. Depending on the nature of your request, we may ask you for information to verify your request and identity and a declaration attesting to your identity, signed under penalty of perjury.
For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will provide a substantive response as soon as practicable and, in any event, generally not more than within 45 days after receipt of your request. We may extend this period to 90 days in some cases and will advise you when that is necessary and why.
Verification of requests
We will ask you for identifying information and attempt to match it to information that we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.
You may designate an agent to submit requests on your behalf. The agent must be a natural person or a business entity that is registered with the California Secretary of State.
If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our agent verification process. You will be required to verify your identity by providing us with certain personal information as described above. Additionally, we will require that you provide us with written confirmation that you have authorized the agent to act on your behalf. The agent will be required to provide us with proof of the agent’s identity and proof that you gave the agent signed permission to submit a request on your behalf.
Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.
There may be some types of personal information that can be associated with a household (a group of people living together in a single dwelling). Requests for access or deletion of household personal information must be made by each member of the household. We will verify the identity of each member of the household using the verification criteria explained above and will also verify that each household member is currently a member of the household.
We are committed to complying with the law. If you exercise any of the rights explained in this Policy, we will continue to treat you fairly.
Shine the Light law
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for direct marketing purposes in the preceding calendar year. We have not made any such disclosures in the calendar year preceding the date of this Policy.
13. Third-Party Links
15. How To Contact Us