8.9.2025
This information notice explains how Orion Corporation processes certain type of personal data.
Orion Corporation is committed to protecting the study participants’ and other data subjects’ privacy in compliance with all applicable regulations and ensuring the security of their personal data. This privacy notice explains how we collect, use, and protect the personal information.
We have received this personal data from the original data owner who has collected it from clinical research study participants or individuals who have given their sample to biobank research with a consent to share their data with external researchers for scientific purposes. We call scientific research conducted with such personal data Human Data Research.
Contact Details
Data Controller: Orion Corporation
Human Data Research contact: clinicaltrials@orionpharma.com
Data Protection Officer (DPO): privacy@orionpharma.com
Telephone +358 (10) 4261
1. What data do we collect?
In Human Data Research, Orion Corporation only collects information related to the data subject that the data subject has consented to in their agreements with the original data collector. The data is always in pseudonymised form, and it may include the following information:
- Sex
- Year of birth or age
- Ethnicity
- Broad location
- Relevant (sometimes extensive) medical history
- Data obtained from biological samples (DNA, RNA, metabolites)
- Information on behaviours and habits
In addition, we process individual codes which prevents Orion Corporation from recognizing and identifying the individuals. Identification is possible only when the data subject´s number is combined with the code key kept by the original data provider or the responsible investigator. This so called pseudonymisation is explained in Chapter 2.
Data is typically collected from the data subjects themselves, from the healthcare systems’ patient files, from commercial biobanks, from the investigators as well as from the results of the tests performed during the clinical study (in case the data originates from a clinical study).
2. Pseudonymisation
Pseudonymisation, normally coding, is a safeguard measure that helps to protect the individual’s personal data. It means that personal data is processed in such a way that it can no longer be attributed to the data subject without the use of additional information. The additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed directly to the data subject.
The safeguard measure is implemented by giving the data subject a number, in other words a code, which prevents Orion Corporation from recognising and identifying them. Identification is possible only when this number is combined with the code key kept by the investigator (in case of a clinical study) or by the original data provider. Therefore, Orion Corporation has no means to identify the data subject from the data it receives.
3. How do we use the collected data?
We process the collected personal data for the following purpose:
- Human data research: To enable Orion Corporation to facilitate drug discovery and development through target identification and/or validation and personalised medicine therapy development.
This means that the data is being used to understand the links between biological mechanisms and the disease, such as a genetic variant causing a specific illness or increasing the susceptibility to disease. Human Data Research studies help us to identify and select new drug targets for a particular disease or to identify a sub-group of patients in whom the effect of the drug is enhanced.
4. Legal Basis
The legal basis for the processing of personal data in relation to Human Data Research is as follows:
Legitimate interests of the controller, i.e. Orion Corporation | Human data research |
5. How do we share the collected data?
Data processing by Orion Corporation is performed in the European Economic Area (EEA). The personal data collected may be transferred to information technology (IT) companies who assist us by performing data processing and technical operations such as data storage and hosting, both inside and outside of the EEA, possibly to countries where the level of data protection legislation may not be at the same level as in the EU. The protection of personal data being transferred outside of the EU or the EEA is based on one or several of the following transfer mechanisms: the adequacy decision made by the EU Commission in accordance with the GDPR article 45; the signing of the Standard Contractual Clauses by the controller and the recipient in accordance with the GDPR article 46(2); or in specific situations on safeguards in accordance with the GDPR article 49.
6. How long do we store the data?
The personal data shall be retained by Orion Corporation in strict accordance with the data use limits set by the original data provider. If no such limit is set, then we will annually evaluate the continued use of the data set. Once the data use limit has been reached, or if it has been internally decided, then the whole data set, and any copies, will be deleted from Orion Corporation’s servers.
7. What are the rights and options for the participants?
In case the data subject wishes to obtain more information regarding the processing of their personal data, their rights as a data subject or they want to exercise such rights, they can make a request to this effect by contacting the original data provider. Depending on the provider, they may have the following rights:
- Access their data: They can request from the original data provider information and a copy of their personal data that have been collected.
- Rectify inaccurate data: In order to keep their data up-to-date and accurate, they can request the original data provider to modify their data.
- Erasure: They can ask the original data provider to erase their personal data.
- Restrict processing: In some cases, they may have the right to limit the processing of their personal data.
- Data portability: they may ask to receive their personal data, which they have provided to the original data provider and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
- Object to data processing: they can object to the use of their personal data.
8. Security Measures
The original data provider will keep the data subjects’ names, personal identification numbers and contact details confidential and will not pass this information to Orion Corporation. The people who analyse the data will not be able to identify the individuals and will not be able to find out their names, personal identification numbers or contact details.
The collected personal data is held in a combination of secure computer storage facilities.
We have implemented appropriate measures to ensure the level of security around the collected personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.
We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from
- unauthorised or unlawful processing,
- accidental or unlawful loss, destruction or alteration,
- unauthorised (or disclosure of) access or damage to the collected personal data
These measures include e.g.
- locks and security systems;
- encryption
- usernames and passwords;
- virus checks and data security updates;
- auditing procedures and regular data integrity checks; and
- recording of file movements.
We limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process the personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.
We have agreed on security-related measures with the third parties we share the collected personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard the personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify the data subjects and any applicable supervisory authority where we are legally required to do so.
9. Changes to this Notice
We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.
10. Contacts
Since Orion Corporation as the controller has only information related to the data subject’s coded number, it is impossible for Orion Corporation to recognize or identify them or provide further information regarding the processing of their personal data. If, however, the questions relate to processing of personal data by Orion Corporation for Human Data Research in general, Orion Corporation can be contacted. If there are concerns regarding Orion’s processing of the data subjects’ personal data, data subjects have the right to make a complaint to a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of your personal data infringes the General Data Protection Regulation.