Privacy Statement

Iterum Therapeutics plc and our subsidiaries ("us", "we", "Iterum" or "our") are committed to protecting and respecting your privacy in accordance with the requirements of the Data Protection Acts 1988 to 2018, the General Data Protection Regulation ((EU) 2016/679) and/or such amending legislation or other applicable data protection legislation as may be adopted in Ireland from time to time ("Data Protection Legislation").

This Privacy Statement (together with the Terms and Conditions of Use for the Iterum website ("Site"), the Site's Cookies Statement and the documents referred to therein sets out the basis on which any personal data we collect from you, gather about you or that you provide to us in connection with the Site will be processed by us. Please read this Privacy Statement carefully to understand our treatment and use of your personal data.

1. ABOUT US

The Site is operated by Iterum Therapeutics plc, a public limited company and registered in Ireland (Registered Number: 563531) with an address at Block 2 Floor 3, Harcourt Centre, Harcourt Street, Dublin 2.

2. WHAT PERSONAL DATA WE PROCESS

We may collect, gather and process the following personal data about you:

personally identifiable information (such as name, address, email address, and/or phone number) to us via an email from this site;

information about you provided to us by your browser, including the web site you came from, the type of browser you use, your computer or device operating system type, IP address, the time and date of access, and other similar information;

information which you submit to us via the 'Careers' section of the Site, including your name, email address, contact details, contact type and notification selections and a copy of your CV/resume, if applicable.

3. PURPOSES FOR PROCESSING

We value your privacy and process your personal data in accordance with applicable Data Protection Legislation. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

We may process and use your personal data, including for the following reasons:

Responding to Communications and Customer Service: For the purposes of responding to a question which you have submitted to us via the Site and/or by email, and to provide customer service.

Site Improvements: To operate, maintain, and improve the Site; for example, your personal data may help us to understand you and your preferences to enhance your experience - and enjoyment - of using the Site.

Analytics and Site Activity: To conduct research on users' demographics, interests, and behaviour based upon data you provide during use of our site. We may combine your data with data collected from other individuals to produce anonymous, aggregated statistical information that will not include personally identifiable information. We may use and disclose this aggregated data for any purpose.

Legal obligations: For compliance with legal obligations to which we are subject.

Notifying you of Product or Company developments: Send you information about our offerings and company developments.

Effectiveness of the Site and Device Compatibility: To ensure that the content from the Site is presented in the most effective, responsive and compatible way for you and your computer or device.

Service changes: To notify you about changes to our services and products.

We will not use your personal data for any other purpose incompatible with the purposes described in this Privacy Statement, unless it is required or authorised by law, with your consent, or is in your own vital interest or that of another person (e.g., in the case of an emergency).

4. LEGAL BASIS

We will only process your personal data where we can rely on one or more of the following legal bases:

Contract: The processing is necessary for the performance of a contract with you (or for taking steps at your request with a view to entering into a contract).

Consent: Where we have your consent to process your personal data for any of the purposes described in Section 3.

Legal obligations: The processing is necessary for compliance with a legal obligation to which we are subject.

Vital interests: The processing is necessary to protect your vital interests or those of another person.

Public interest: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority by us.

Legitimate interests: The processing is necessary for the legitimate interests pursued by us or by a third party, and such shall be balanced against your fundamental rights (e.g. right to privacy) and freedoms.

5. RECIPIENTS OF PERSONAL DATA

We will only grant access to personal data on a need-to-know basis, and such access will be limited to the personal data that is necessary to perform the business function for which such access is granted. No authorisation is or will be extended to access personal data on any other basis.

Access to personal data within Iterum may include IT, legal and compliance, HR, finance or data processing departments.

From time to time, we may need to make personal data available to other unaffiliated third parties. Such unaffiliated third parties may include the following:

Professional advisors: Accountants, auditors, lawyers, bankers, insurers, and other outside professional advisors in all of the countries in which we operate.

Service providers: Companies that provide products and services to us such as IT systems suppliers and support, data storage, insurance, credit card companies, payment processors, analytics companies, website hosting providers and other service providers.

Public and Governmental Authorities: Entities that regulate or have jurisdiction over Iterum such as regulatory authorities, law enforcement, public bodies, and judicial bodies.

Corporate transaction: A third party in connection with any proposed or actual reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Iterum business, assets or stock (including in connection with any insolvency event or similar proceedings).

6. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred, stored and accessed within the European Economic Area ("EEA") or transferred to, stored in, and accessed from countries outside the EEA in order to fulfil the purposes described in this Privacy Statement. For transfers to countries outside the EEA, the data protection regime may be different than in the country in which you are located and will therefore be based on a legally adequate transfer method. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is given to it by ensuring at least one of the following safeguards is implemented:

Where the country has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.

We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

Where service providers are based in the US, we may transfer data to them if they are part of the EU-U.S. Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

We will provide you on request a list of the countries located outside the EEA to which personal data may be transferred, and an indication of whether they have been determined by the European Commission to grant adequate protection to personal data. Where applicable, you are entitled, upon request to receive a copy of the relevant safeguard (for example, EC model contractual clauses) that have been taken to protect personal data during such transfer.

7. SECURITY MEASURES

We are committed to maintaining the security of your personal data we process. We maintain appropriate physical, procedural, organisational and technical security measures intended to prevent loss, misuse, unauthorised access, disclosure, or modification of your personal data under our control. If you have reason to believe that your personal data is no longer secure, please notify us immediately using the contact information supplied in Section 13 below (Contact Us).

8. RETENTION PERIOD

We retain your personal data for no longer than is allowed under applicable Data Protection Legislation and, in any case, no longer than such personal data is necessary for the purpose for which it was collected or otherwise processed, unless a longer retention period is required by applicable law. This means that your personal data will be processed as necessary for establishing, performing and terminating your relationship with us and will thereafter be retained until applicable limitation periods have been passed and in order to comply with statutory retention obligations under applicable law (such as retention obligations arising under commercial and tax law).

9. YOUR DATA PROTECTION RIGHTS

To the extent required by applicable law, you are entitled to obtain information on the processing of your personal data, to object to processing of your personal data, make use of your right to data portability and to have your personal data rectified or deleted or their processing restricted. You also are entitled to withdraw any consent that you might have given with respect to the processing of your personal data at any time with future effect. These are known as "Data Subject Rights." More information regarding each of your Data Subject Rights can be found below.

If you would like to exercise your Data Subjects Rights or learn more about the processing of your personal data, please contact us using the information provided below under Section 13 below (Contact Us). We will respond to your request(s) as soon as reasonably practicable, but in any case within the legally required period of time.

If you are not satisfied with our response or believe that your personal data is not being processed in accordance with the law, you also may contact or lodge a complaint with the competent supervisory authority or seek other remedies under applicable law.

10. UPDATING YOUR PERSONAL DATA

We strive to maintain your personal data in a manner that is accurate, complete and up to date. However, you have an obligation to keep your personal data up to date and inform us of any significant changes to your personal data. Please contact us using the contact details listed in Section 13 below (Contact Us) below if there are any changes in your personal data.

11. LINKS TO OTHER WEBSITES

Our Site may, from time to time, contain links to and from other websites and web platforms. If you follow a link to any of those websites or web platforms, please note that those websites and web platforms have their own privacy policies and that we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal data to those websites or platforms.

12. CHANGES TO OUR PRIVACY STATEMENT

We reserve the right to change this Privacy Statement at any time in our sole discretion. If we make changes, we will post these changes here so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it. By continuing to use our Site after we post any such changes, you accept and agree to this Privacy Statement as modified.

13. CONTACT US

If you have any question or concerns regarding this Privacy Statement, our processing of your personal data or to exercise your Data Subjects Rights as outlined in Section 9 above, please contact us at privacy@iterumtx.com.

 

DATA SUBJECT RIGHTS

Right to Access

You are entitled to obtain confirmation from us as to whether any personal data concerning you is processed by Iterum.

This includes the right to access such personal data, to obtain a copy of it free of charge (except for repetitive or excessive requests) and to be provided with a description of main features of the processing implemented in relation to your personal data, including:

  • purposes of such processing,
  • categories of personal data concerned,
    • recipients or categories of recipients of personal data, in particular recipients in third countries outside the EEA;
    • the envisaged retention period or, if not possible, the criteria used to determine it;
    • existence of the right to request rectification or erasure of personal data, as well as the right to object to or request restriction of processing;
    • the right to lodge a complaint with a supervisory authority;
    • information relating to any third party source of personal data if the data were not collected from you; and
    • the existence, the logic involved, the significance and the consequences of any automated decisions, including profiling.

Where personal data is transferred outside of the EEA, you will be informed of the appropriate safeguards relating to such transfer.

Right to Rectification You have the right to obtain from Iterum without undue delay the rectification of inaccurate, incomplete or outdated personal data concerning you.
Right to Erasure

You have the right to obtain from Iterum without undue delay the erasure of your personal data in one of the following cases:

  • such personal data is no longer necessary in relation to the purpose(s) for which it was collected or otherwise processed;
  • you withdraw the consent on which the processing was based, and there are no other legal grounds for the processing;
  • you object to the processing, as provided below;
  • your personal data has been unlawfully processed;
  • your personal data has to be erased for compliance with a legal obligation in EU or EU Member State law.

Iterum may refuse the erasure of personal data if the processing of such data is necessary for:

  • exercising the right of freedom of expression and information;
  • compliance with a legal obligation which requires processing by EU or EU Member State law or for the performance of a task carried out in the public interest;
  • reasons of public interest in the area of public health;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
  • establishment, exercise or defence of legal claims.
Right to Restriction

You have the right to restrict the processing of your personal data in the following cases:

  • where you claim inaccuracy of your personal data processed by us (the restriction being provided for a period enabling us to verify the accuracy);
  • where the processing appears unlawful, and you oppose the erasure and request the restriction of use of your personal data instead;
  • where Iterum does not need such personal data for the purposes of processing, but such personal data is required by you for the establishment, exercise or defence of legal claims; and
  • where an objection is raised by you in relation to the processing, pending verification as to whether the legitimate grounds of Iterum override those of you.

When you have obtained from us a restriction of processing of your personal data, you will be informed by us prior to lifting such restriction.

Right to Object

As a general matter, you have the right to object, at any time and on legitimate grounds relating to your particular situation, to the processing of your personal data.

Provided that such objection is justified, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests.

Right to Data Portability

Where the processing is based on your consent, and where such processing is carried out by automated means, you can request from us:

  • to communicate to you the personal data concerning you, in a structured, commonly used and machine-readable format, in order to be able to further transmit such personal data to another data controller, or (ii) to directly transmit such personal data to such other data controller, if technically feasible.
Right to Withdraw Consent

Where the processing of your personal data is based on consent, you have the right to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority.