Skip to main content

Research Study Participant Privacy Notice

Research Study Participant Privacy Notice for Research Study Participants within the European Economic Area and the United Kingdom

This Research Study Participant Privacy Notice (“Notice”) explains how Variant Bio, Inc. (“Variant Bio”, “we” or “us”) processes personal data provided by Research Study Participants within the European Economic Area (“EEA”) or the United Kingdom (“UK”), together “Europe”, through participation in research studies. For the purposes of this Notice, “personal data” means any information related to an identified or identifiable individual.

Our research studies in Europe are conducted in collaboration with research partners such as academic institutions. The personal data that is collected about you by our research partners and provided to us will be anonymized or pseudonymized (meaning that direct personal identifiers such as names and addresses are replaced with coded identifiers such as numbers) before it is provided to us, and we will not try to identify you.

Please also refer to the information regarding personal data processing contained in the Participant Information Sheet that is provided to you in connection with the specific research study that you participate in. Where applicable, we indicate whether and why you must provide your personal data, as well as the consequences of failing to do so. If you do not provide your personal data when requested, you may not be able to participate in our research studies if that personal data is necessary for our research studies, or if we are legally required to collect it.

TYPES OF PERSONAL DATA WE RECEIVE

In the course of our research studies, we may receive and process the following categories of personal data:

  1. Phenotypic data, such as age, body mass index (BMI), or clinical measurements
  2. Health data, such as medical history and health survey information
  3. Data resulting from analysis of biospecimens (other than genetic data), such as biochemistry results and results of transcriptomic, proteomic and metabolomic analysis
  4. Genetic data resulting from analysis of biospecimens, where coded identifiers are used in place of names or other direct personal identifiers

Personal data in all these categories is pseudonymized, and we will not receive any names or other direct identifiers that can easily identify you. We will also not combine this personal data with the intent to identify you.

PURPOSE AND LEGAL BASES FOR PROCESSING

We process your personal data for the following purposes and legal bases:

  • Participation in research studies and related research purposes
    • Legal Basis: Consent (Art. 6(1)(a) of the General Data Protection Regulation (“GDPR”) and Art. 9(2)(a) of the GDPR when processing health-related data, genetic data, and other personal data that qualifies as special categories of personal data under the GDPR. When we rely on your consent to process your personal data, we ensure that any further use of your personal data for research purposes will be compatible with the original purpose of collecting the personal data.
  • Conducting biomedical and health-related research
    • Legal Basis: Processing is necessary for reasons of public interest in the area of public health (Art. 9(2)(i) GDPR), when this processing is not covered by consent.
  • Improving scientific understanding and medical treatments, and further develop medical treatments
    • Legal Basis: Legitimate interests (Art. 6(1)(f) when we process personal data for these purposes, and scientific research purposes (Art. 9(2)(j) GDPR) when we process special categories of personal data under the GDPR. We only rely on our legitimate interests to process your personal data when these interests are not overridden by your rights and interests.
  • Ensuring research integrity and safety
    • Legal Basis: Processing is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR) or is necessary for the purposes of our legitimate interests (Art. 6(1)(f) GDPR). We only rely on our legitimate interests to process your personal data when these interests are not overridden by your rights and interests.Complying with regulatory requirements
  • Complying with regulatory requirements
    • Legal Basis: Processing is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR) or is necessary for the purposes of our legitimate interests (Art. 6(1)(f) GDPR). We only rely on our legitimate interests to process your personal data when these interests are not overridden by your rights and interests.

HOW WE PROTECT YOUR PERSONAL DATA

We use a combination of technical, organizational, and administrative safeguards that are designed to ensure the confidentiality, integrity, and availability of your personal data. These include:

  • Coding and storage of data
  • Role-based access restrictions
  • Encryption and pseudonymization of sensitive data
  • Regular audits and compliance checks

DATA SHARING

We may share your anonymized or pseudonymized personal data with the following parties:

  • With our own corporate entities and affiliates.
  • Authorized research collaborators, academic institutions, and laboratories. We may disclose personal data to research collaborators, academic institutions, and laboratories, as further described in the Participant Information Sheet.
  • Ethics committees and regulatory authorities. We may disclose personal data if we are legally required to do so, or if we have a good faith belief that such use is reasonably necessary to comply with a legal obligation, process, or regulatory request.
  • Vendors and service providers (e.g., data hosting, analysis platforms). We may share any personal data we receive with vendors and service providers retained in connection with the research studies.
  • Subsequent corporate ownership. If we are involved in a merger, acquisition, bankruptcy, reorganization, partnership, asset sale, or other similar transaction, we may disclose or transfer your personal data as part of that transaction, as permitted by law or contract.

An explanation of the proposed sharing of data for each of our studies is contained in the Participant Information Sheet for the applicable study.

INTERNATIONAL TRANSFERS

Some personal data may be transferred to countries outside the European Economic Area or the United Kingdom, including the United States, based on Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Government, your explicit consent, or otherwise in accordance with applicable data protection laws. For more information about the tools that we use to transfer your personal data, or to obtain a copy of the contractual safeguards that we use for such transfers (if applicable), you can contact us as described below.

YOUR PRIVACY RIGHTS

Study participants located in Europe have the following privacy rights:

  • Right of access – You can request a copy of your personal data
  • Right to rectification – You can ask for incorrect personal data to be corrected, and you can update your personal data
  • Right to erasure – In certain cases, you may ask for your personal data to be deleted (information resulting from analysis of your data with other data cannot be deleted)
  • Right to restriction of processing – You may request limited use of your personal data
  • Right to data portability – You can request your personal data in a machine-readable format and transmit it to another controller
  • Right to object – You may object to processing based on legitimate interests
  • Right to withdraw consent – If processing is based on consent, you may withdraw it at any time. We will apply your preferences going forward and this will not affect the lawfulness of the processing before you withdrew your consent.
  • Right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affect you.

To exercise your rights, you should contact the study investigator listed on the Patient Information Sheet for the study you participated in (their name and contact information is listed), since we cannot directly identify you based on the personal data we collect. Before fulfilling your request, we, or the study investigator, may ask you to provide reasonable information to verify your identity. Please note that there are exceptions and limitations to each of these rights, and that we may retain personal data for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.

HOW LONG WE KEEP YOUR PERSONAL DATA

We retain your personal data for the minimum period necessary to fulfill the research purposes and to comply with legal obligations, unless you request earlier deletion under applicable rights. When we process personal data for our own purposes, we determine the retention period taking into account various criteria, such as the length of our relationship with you, the impact on our research studies if we delete some personal data, and mandatory retention periods provided by law and the statute of limitations. In case your data is anonymized, meaning that it will no longer be considered personal data, it may be retained indefinitely for scientific purposes.

AUTOMATED DECISION-MAKING

No automated decision-making or profiling is performed using your personal data in our research studies.

CHANGES

Where required, we will update this Notice from time to time. When we do so, we will indicate the date of the latest revision. If we materially change the ways in which we use or share personal data previously collected from you, we will post an updated Notice on our website.

QUESTIONS OR COMPLAINTS

Variant Bio is responsible and the data controller for processing your personal data as described in this Notice.

If you have any concerns or complaints about how your data is handled, you may contact our Data Protection Officer at privacy@variantbio.com.

Our representative in the EU (as required under Article 27 GDPR) is: DataRep. You can reach DataRep by emailing datarequest@datarep.com with “Variant Bio” included in the subject line or by using the DataRep webform, which is available online at: www.datarep.com/data-request

If you are a participant located in Europe, you also have the right to lodge a complaint with your local data protection authority, including in your country of residence, place of work, or where an incident took place. A list of supervisory authorities in the EU can be found here: https://edpb.europa.eu/about-edpb/board/members_en and the UK supervisory authority can be found here: https://ico.org.uk/

Date: April 11, 2025