Effective Date: 22 January 2024
GTL processes Personal Data in its interactions with visitors, prospects, partners, clients, employees, job applicants, contacts, investors, service providers, contractors, and users (collectively the “Individuals”) of its platforms, namely groundtruthlabs.com (the “Website”) app.groundtruthlabs.com (the “App”).
GTL is committed to conducting its business in compliance with applicable data protection regulations, particularly the General Data Protection Regulation (EU) 2016/679 of 27th April 2016 (“GDPR”), as well as other relevant laws and regulations which aim to protect individual rights concerning the collection, use, retention, transfer, disclosure, and destruction of Personal Data.
- What Personal Data does GTL collect and process about Individuals?
- Why does GTL process this data?
- What legal bases allow GTL to do so?
- From what sources does GTL collect Personal Data?
- Who is authorised to process Personal Data on behalf of GTL?
- How does GTL ensure the security and protection of Personal Data?
- How long will GTL retain Personal Data?
- What are the Individuals' rights regarding GTL's processing of their Personal Data?
- How can Individuals exercise these rights?
The following definitions apply throughout:
|Natural person or legal entity processing Personal Data on behalf of GTL.
|Individual or legal entity receiving Personal Data from GTL. This may include GTL employees or external entities (e.g., partners like healthcare organisations or professionals, suppliers, service providers, clients, banks, etc.).
|Information that can directly or indirectly identify a Data Subject, such as a name, identification number, location data, online identifier, etc.
Please note: GDPR makes a distinction between organisations that process personal data for their own purposes (known as “Data Controllers”) and organisations that process personal data on behalf of other organisations (known as “Data Processors”). GTL acts as a Data Controller for information where GTL determines the nature and purpose of the processing. GTL may be a Data Processor if it acts on behalf of a third party.
Processing may be managed directly by GTL or via designated Data Processors.
GTL only processes Personal Data that complies with GDPR's general principles and is related to data collected by or for its teams, or processed with its teams, and only if it complies with GDPR's general principles.
GTL may process Personal Data for the following purposes:
Business and Contractual Relationships
- Managing contractual and contact relationships, and business development, including identifying potential contractors, partners, service providers, and clients.
- Executing and managing agreements with GTL's academic partners (e.g., healthcare organisations like hospitals, universities, research centres, healthcare professionals), non-academic partners (e.g., pharma companies, biotech companies, or other corporate partners), service providers, and/or suppliers.
- Implementing and managing invoicing and accounting.
Compliance with Legal, Regulatory, Best Practices, and Ethical Obligations Applicable to GTL
- Complying with industry standards and GTL policies.
- Ensuring the security of Personal Data collected and processed by GTL.
- Managing marketing campaigns (via email, SMS, phone, etc.) and media advertising.
- Communicating and managing newsletters.
- Managing targeted advertising and segmentation.
- Organising and managing events which GTL sponsors or participates in.
- Managing social media campaigns (including data on registrations, posts, likes, replies, forwards, comments, opinions, etc.).
- Managing surveys.
- Managing job advertisements and applications, including pre-contractual relationships with job applicants.
Website Maintenance and Management
- Managing the Website (case studies, contact forms, etc.).
Protecting GTL's Rights and Interests
- Managing investigations, pre-litigations, and litigations.
- Protecting GTL's rights or third-party rights, including intellectual property, privacy, safety, and property.
- Protecting GTL against harmful actions or omissions, including fraudulent activity.
GTL is granted the right by Individuals to process their Personal Data for the aforementioned purposes. However, any data supplemented by GTL's processing and analysis, known as supplemented data, remains GTL's exclusive property (usage analysis, statistics, etc.).
Lawfulness of Processing Conducted by GTL
The purposes for which GTL processes Personal Data are based on the legal bases described below.
Processing is Required for GTL's Legitimate Interest or a Third Party
- When GTL processes Personal Data for its legitimate interest, it evaluates whehter this interest conflicts with the fundamental rights and interesets of the Data Subjects.
- For instance, protecting GTL from fraudulent activities, managing research and development activities, managing contact relationships and business development, and sending newsletters to relevant industry and professional groups and contractors with pre-existing relationships with GTL.
Processing Required to Meet Legal Requirements and Enforcing Legal Terms
- GTL may process Personal Data to comply with all legal obligations.
- For example, monitoring adverse events or device deficiencies of marketed products, transparency regarding GTL&aspos;s relationships with healthcare professionals and institutions, and financial and tax reporting.
Data Subject Has Given Consent for the Processing of Personal Data
- GTL may process Personal Data for specific purposes for which the Data Subject has given clear consent.
- For instance, sending GTL's newsletter to Data Subjects is based on their consent.
Processing is Required for Performance of a Contract
- GTL may process Personal Data for the execution of contracts between Data Subjects (or their employers) and GTL.
- For example, GTL processes Personal Data necessary for contract performance for purposes like negotiating contracts with GTL's partners, suppliers, service providers, clients, and following up on GTL's contractual relationships.
Processing is Required for Reasons of Public Interest
- When applicable laws entitle GTL to do so, notably in public interest cases, GTL may process Data Subjects' Personal Data.
- For instance, if laws in a Data Subject's country allow GTL to process Personal Data in public health areas to ensure high-quality healthcare and safety of medicinal products or medical devices, GTL could process Personal Data for scientific research projects to improve or develop new products or devices.
Personal Data GTL Processes
GTL processes a wide range of Personal Data, depending on its relationship with Data Subjects and third parties it works with, which may provide GTL access to Personal Data.
For example, GTL processes Personal Data like identification details (names, birth dates, pseudonyms, client numbers, usernames, passwords), contact details (emails, addresses, phone numbers), professional data (company names, job titles), bank details, contract-related data, and internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP addresses, etc.).
Personal Data Sources
Personal Data is generally collected directly from Data Subjects (direct collection).
Collection may also be indirect via partners, clients, service providers, and suppliers of GTL, authorised to do so in compliance with applicable law and their privacy and data protection policies.
In such cases, GTL ensures the quality of the data it receives. If Data Subjects have questions about the initial collection of their Personal Data by GTL's partner, client, service provider, or supplier, GTL invites Data Subjects to contact them directly or refer to their data protection policies.
Personal Data of Children
GTL's Website is not designed for use by children under the age of thirteen (16) years. GTL does not deliberately process Personal Data from children below thirteen (16) years through its Website.
Should a parent or guardian discover that their child has supplied Personal Data to GTL via its Website, they are urged to contact GTL's Chief Technology Officer promptly to request the erasure of the relevant Personal Data in compliance with applicable data protection laws.
Recipients of Personal Data
GTL ensures that Personal Data, considering the processing purpose(s), is accessible solely to authorised internal and external Data Recipients who require this information.
Internal Data Recipients of GTL
Authorised personnel from GTL, depending on the processing purpose(s) and the Personal Data involved, may include members of the following teams:
- Communications and marketing
- Business development
- Authorised employees from teams handling control and audit functions (teams overseeing internal control procedures, etc.).
External Data Recipients of GTL
External Data Recipients of GTL may include, depending on the processing purpose(s) and the Personal Data involved:
- GTL's partners (e.g., healthcare organisations like hospitals, research centres, universities, healthcare professionals, service providers, suppliers, pharmaceutical companies, biotech firms, or other corporate partners);
- Legal or administrative authorities, as mandated by applicable laws and regulations to which GTL is subject;
- Potential acquirers and other stakeholders in case of a corporate transaction such as a change in GTL's control, arising from a capital increase, merger, demerger, or through the total or partial sale of business activities.
Data Recipients are subject to a confidentiality obligation. GTL only provides them with the essential information required to process Personal Data in line with identified purposes.
GTL decides which Data Recipients can access specific Personal Data through contracts or internal policies.
Personal Data may also be forwarded to any legally authorised authority. In such instances, GTL is not responsible for how these authorities access and process the Personal Data but will restrict the data accessed by these authorities to the minimum required.
GTL will never sell Personal Data to any third parties.
GTL determines the retention period for Personal Data in line with its legal and contractual obligations.
After specified periods, Personal Data is either deleted or retained post-anonymisation, particularly for statistical purposes. It may be kept in case of pre-litigation and litigation.
Data Subjects are reminded that deletion or anonymisation are irreversible, and GTL cannot restore Personal Data afterwards. Once anonymised, it is impossible to link anonymised data with the initial Personal Data, and GTL will not be able to respond to Data Subjects' requests to exercise their rights as described below.
GTL follows the retention principles outlined below:
Clients and Partners' Personal Data
For the duration of the contractual relationship with GTL, including the contract term, warranty terms plus five (5) years for legal obligations, notwithstanding storage and retention obligations or statute of limitations.
Job Applicants' Personal Data
Unless a job applicant requests otherwise, their Personal Data is processed and stored for two (2) years from collection, with GTL possibly asking the applicant to extend this period every two (2) years.
The above retention period is subject to any storage and retention obligations or statute of limitations applicable to GTL.
Personal Data Related to Contacts and Potential Clients
Three (3) years from GTL's collection of the Personal Data or from the last contact initiated by the potential client or contact.
Bank Details Information (i.e., data related to bank or payment cards)
Until full payment is made or; Until receipt of goods or provision of service. This period extends by the withdrawal period for distance sales of goods and services.
For managing claims, data related to payment cards may be stored in intermediate archives as evidence in case of disputed transactions for thirteen (13) months following the debit date. This period may extend to fifteen (15) months to accommodate deferred payment cards.
Rights of Data Subjects
Any requests related to exercising the rights above must be made in writing, sent by email to email@example.com or by post to the Legal team – Ground Truth Labs – 125 Wood Street, London, United Kingdom, EC2V 7AW accompanied by a signed copy of identity document such as a passport or national ID card/driver's licence.
In accordance with data protection laws and regulations, Data Subjects are informed that the rights mentioned above are personal and can only be exercised by the Data Subjects concerning their information. For security purposes, GTL must verify the identity of the Data Subject before disclosing any Personal Data.
Response time for Data Subject's requests may vary based on the request's complexity or if the Data Subject submitted multiple requests.
Confirmation and Access Right
Data Subjects can request GTL to confirm whether their Personal Data is being processed and can access their Personal Data, including requesting copies. Misuse of this right may incur costs for the Data Subjects.
- If requested electronically, the information will be provided in a commonly used electronic format, unless otherwise specified.
- Data Subjects are informed that this right does not extend to confidential information or data whose communication is legally restricted.
- The right to access should not be exercised abusively, i.e., legally but with the sole aim of hindering the proper execution of the service in question.
Updating and Rectification Rights
Data Subjects can ask GTL to correct their Personal Data if it is inaccurate, incomplete, or outdated.
Right to Oppose Processing Activities
Data Subjects can object to the processing of their Personal Data, subject to legal and/or regulatory restrictions. For instance, concerning GTL's newsletters, Data Subjects can opt-out at any time using the “unsubscribe” link in these newsletters.
Right to Deletion
The right to deletion does not apply where processing complies with a legal obligation or is necessary for legal claims.
In other cases, Data Subjects can request deletion if:
- The Personal Data is no longer needed for its original purpose;
- The Data Subject withdraws consent and there is no other legal basis for processing;
- The Data Subject objects to processing for GTL's legitimate interests, and there are no overriding legitimate grounds for continuing processing;
- The Data Subject objects to processing for marketing purposes, including profiling;
- The Personal Data has been unlawfully processed.
- Under Personal Data protection legislation, Data Subjects are informed that this is a personal right that can only be exercised concerning their own information.
Rights to Restrict Processing
Data Subjects are informed that the right to restrict processing is not applicable when GTL's processing complies with legal and regulatory obligations or when processing Personal Data is necessary for service performance.
Personal Data Portability Right
GTL will comply with Personal Data portability requests specifically concerning data provided by Data Subjects themselves, via online services provided by GTL and based solely on personal consent. In such instances, Personal Data will be provided in a structured, commonly used, and machine-readable format.
Automated Individual Decision-Making
GTL does not engage in automated individual decision-making.
Rights After Death
Data Subjects have the right to issue instructions regarding the retention, deletion, and communication of their data post-mortem.
Data Processors - Subprocessors
GTL may select any Data Processor of its choice for processing Personal Data. In such cases, GTL ensures that the Data Processor adheres to obligations under applicable data privacy laws and regulations, particularly the GDPR.
GTL commits to signing a contract with every Data Processor, imposing the same Personal Data protection obligations as those applicable to GTL. GTL also reserves the right to audit the Data Processor to ensure compliance with GDPR obligations.
In order to provide our products and services, GTL engages the subprocessors listed on this page. A Subprocessor is a third-party engaged by GTL, to support our broad operations in some way that requires them to process some Personal Data for which GTL is the Data Controller.
GTL has implemented comprehensive technical and organisational measures to safeguard the integrity and confidentiality of Data Subjects’ Personal Data. These measures consider the state of the art, implementation costs, and the nature, scope, context, and processing purposes, as well as the risk to the rights and freedoms of the Data Subjects. These measures include, but are not limited to:
- Management of Personal Data access rights;
- Internal backups;
- Identification processes;
- Security audits;
- Implementing an IT system security policy;
- Implementing business continuity and disaster recovery plans;
- Using security protocols and/or solutions.
Personal Data Breach
In case of a Personal Data breach, GTL commits to notifying the relevant data supervisory authority (e.g., the list of competent supervisory authorities within the European Union can be found on the European Data Protection Board's website) as required by the GDPR. If such a breach poses a high risk to Data Subjects and the Personal Data was not protected, GTL will notify the affected Data Subjects and provide necessary information and recommendations to the affected Data Subjects.
Head of Information Security
GTL has appointed a Head of Information Security. They can be contacted at:
Data Subjects seeking specific information or having questions can contact the Head of Information Security, who will respond within a reasonable timeframe based on the nature of the request or information sought.
For issues related to Personal Data processing, Data Subjects may contact the Head of Information Security.
Right to Lodge a Complaint with a Supervisory Authority
Individuals whose personal data is processed by GTL have the right to lodge a complaint with the relevant supervisory authority (for example, the list of competent supervisory authorities within the European Union can be found on the European Data Protection Board's website) if they believe the processing of their personal data is not in accordance with applicable data protection laws and regulations.
Data Processing Agreement/Addendum (“DPA”)
GTL's DPA outlines the terms and conditions under which GTL processes personal data. The DPA is available online for review by Individuals and Data Controllers where GTL is a Data Processor of a third party Data Controller.
For more general information about personal data protection, please visit the website of the competent supervisory authority (for instance, the list of competent supervisory authorities within the European Union is available on the European Data Protection Board's website).
|Ground Truth Labs
125 Wood Street,