Introduction

Vamos Biotech (Shanghai) CO., LTD (“VB”) is a company engaged in development and commercialization of new generation of medical substances with anticancer, antiviral, and antibiotic resistant bacterial infections.

VB follows the United Nations Global Compact principles, and we are committed to high standards of information security, privacy, and transparency.

What is GDPR

On May 25th, 2018, the European Union General Data Protection Regulation (“GDPR” or “regulation”) becomes enforceable establishing a new framework for handling and protecting personal data. The GDPR is the most significant piece of data protection legislation to date, further strengthening individual data privacy rights and creating a uniform data protection law across Europe.

The regulation applies to the processing of personal data and encompasses all organizations established in the EU, additionally applying to organizations outside the EU that monitor the behavior of EU residents or offer goods or services within the EU. The terms “processing” and “personal data” are each defined broadly: “processing” meaning any operation or set of operations performed on personal data, whether or not by automated means; “personal data” meaning any information relating to an identified or identifiable natural person and can be in any format.

Key GDPR principles:

  • 1.1Lawful, fair, and transparent processing
    Personal data must be processed in a lawful, fair, and transparent manner. This means organizations that process personal data must process either based on consent, performance of a contract, legal obligations, protection of vital interests, necessity for public interests, or the legitimate interests of the organization. Organizations must be transparent and inform data subjects about the processing activities performed on their personal data.
  • 1.2Data subject rights
    The regulation expands data subject rights, including the right of access, right of rectification of any inaccurate or incomplete personal data, right to erasure, right to restrict the processing of personal data, right to object to processing, right to data portability, among others.
  • 1.3Consent
    Requests for consent must be freely given, specific, informed, and unambiguous by a statement or clear affirmative action.
  • 1.4Data Protection Impact Assessment
    Where a type of processing is likely to result in a high risk to the rights and freedoms of data subjects a Data Protection Impact Assessment should be conducted by the organization conducting the processing in order to assess the risks, impacts, and possible remediation measures.
  • 1.5Privacy by design and default
    Organizations must incorporate organizational and technical mechanisms to protect personal data in the design of new products, systems, or processes.
  • 1.6Personal data breach
    In the event of a data breach involving personal data the organization acting as the data controller must, where feasible, report the breach to the authorities within 72 hours. Where there is likely a high risk to the affected data subjects such data subjects shall be notified without undue delay.
  • 1.7Data transfers 
    The regulation applies strict standards around transfers of personal data to third parties for processing or transferring of personal data across borders. The data controller has accountability to ensure personal data is protected and GDPR requirements met when the data is transferred outside the organization to a third party.
  • 1.8Data Protection Officer
    Certain organizations will need to appoint a Data Protection Officer, including organizations whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of sensitive personal data.

Our preparation for GDPR

Data protection and data privacy themselves are not new concepts to which organizations like Vamos Biotech must adhere.

We have long been committed to these concepts and the GDPR is an opportunity to build a stronger data protection and data privacy foundation. We embrace, amongst others, the privacy by design and privacy by default principles of the GDPR. We are committed to complying with the GDPR by the May 25th, 2018 enforcement date and fully supports the intent of the legislation.

We are taking proactive steps towards our GDPR commitment. We ran a program of work which had an internal, cross-functional, global steering committee comprised of senior members and a Certified Information Privacy Professional – Europe, who ensured that we expanded current data protection and data privacy practices to meet GDPR compliance. Additionally, we are using the opportunity to continually further enhance internal information security policies and adhere to applicable international standards and industry best practices.

Our Systems

When using our Products or treatments through our platforms and systems, our customers can be assured of their ability to comply with their GDPR requirements.

As part of our GDPR program, we constantly engage independent experts specializing in privacy and cyber security to carry compliance and cyber security tests and provide data protection impact assessments (DPIA), to identify any privacy related risks and solutions to resolve such potential threats.

If you have any questions, you can reach us at legal@vamos-biotech.com or contact us at the following address:

Vamos Biotech (Shanghai) CO., LTD
Attn: Legal,
2F, Building #5, Lin Gang Fengxian Industrial Park,

1800 Xin Yang Road, Feng Xian District,

Shanghai 201413,

P.R. China.