GDPR POLICY

 

1. ABOUT THIS GDPR POLICY

This policy outlines an individual’s rights under the European Union (EU) General Data
Protection Regulation (GDPR). For additional details regarding the types of personal information
that Immunologix Laboratories (Immunologix) collects and processes and how this information is
used and disclosed, see the Immunologix Laboratories Privacy Policy
(www.immunologixlabs.com/privacy-policy/).

2. ABOUT GDPR

GDPR is an EU law to safeguard personal data on the internet for citizens and legal residents of
the EU and European Economic Area (EEA). The law was approved in 2016 with full compliance
enforced starting 25-May-2018 and addresses targeting or collection of personal data within and
outside EU and EEA. GDPR gives individuals control over their personal data, and how that
personal data is collected and used. Failure to comply with GDPR can result in harsh fines and
penalties. While GDPR is an EU law, it is administered by individual member states (see
Appendices A and B below).

3. GDPR DEFINITIONS

Personal Data – Personal data is any information that relates to an individual who can be directly
or indirectly identified. Examples include names and email addresses. Location information,
ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be
personal data.

Data Processing – Any action performed on data, whether automated or manual, including
collecting, recording, organizing, structuring, storing, using, and erasing.

Data Subject – The person whose data is processed. These include customers or website visitors.

Data Controller – The person who decides why and how personal data will be processed. This
may be any employee in the organization who handles data.

Data Processor – An employee that processes personal data on behalf of a Data Controller.

Data Protection Officer (DPO) – Senior member of the organization responsible for overseeing
the implementation of GDPR at Immunologix. Additional details can be found below.

4. GDPR DATA PROTECTION PRINCIPLES

Processing of data must be lawful, fair, and transparent to the data subject. Data must be
processed for the legitimate purposes detailed in the Immunologix Laboratories Privacy Policy
and/or other documents, as appropriate. Immunologix will only collect the minimum amount of
personal data necessary for the specified purpose. Whenever possible, personal data should be
kept accurate and up to date. Data should only be stored for the length of time for the specified
purpose. Processing of personal data must be done in a way that ensures security, integrity, and
confidentiality. Data Subjects have the right to withdraw consent to use their data and may ask
that any personal data stored at Immunologix be erased.

5. GDPR ACCOUNTABILITY

Data Controllers must demonstrate that they are GDPR compliant. The Data Controller may
delegate data protection responsibilities to Data Processors. Immunologix should maintain
detailed documentation on the data that is being collected, how it is used, where it is stored, and
which employees are responsible for the data. The DPO must ensure that staff that handle
confidential data are trained in the handling of data subject to GDPR. Immunologix, generally,
does not share confidential private information outside of the company. However, should sharing
data with a third-party organization be necessary, a data processing agreement should be put in
place to govern how the third-party handles personally identifiable data.

6. GDPR BREACHES AND POTENTIAL PENALTIES

Breaches to GDPR should be reported within 72 hours to the appropriate Data Protection
Authority (See Appendices A and B below). For the EU, fines up to €10 million, or 2% of
worldwide annual revenue (whichever is higher) are possible for breaches due to conduct of
controllers and processors. Fines of up to €20 million, or 4% of worldwide annual revenue
(whichever is higher), may be levied for violating basic principles of processing, conditions of
consent, the data subjects’ rights, or transfer to a third-party without a data processing agreement and disclosure to the data subject. Fines for or other Supervisory Authorities, such as the United Kingdom, Switzerland, or California, are unique to each locale. In the event of a breach, the DPO will serve as the point of contact for data protection supervision authorities.

7. GDPR RESPONSIBILITIES FOR THE DATA PROTECTION OFFICER (DPO)

While Immunologix does not technically need a DPO because all operations reside within the
state of Florida, USA, the role is assigned to ensure proper handling of private data of citizens
and residents of the EU and other locations (see Appendices). The DPO is identified in the
Immunologix Laboratories Organization Chart under the Critical Roles section.
The Data Controller and Data Processor must ensure that the DPO is involved and informed of
any issues that relate to the protection of personal data. The DPO must report to the highest levels
of management in the organization and is bound by confidentiality. The DPO has six main tasks:
a) Receive comments and questions from Data Subjects regarding the processing of their
personal data
b) Inform employees of their obligations under GDPR
c) Monitor compliance to GDPR, train staff, and perform annual compliance reviews
d) Perform data impact assessments (if necessary)
e) Cooperate with data protection supervision authorities, when appropriate
f) Be point of contact in the event of a breach

8. GDPR COMPLIANACE ANNUAL REVIEW

An annual review of data collection practices should be performed and should ensure the
following:
a) This GDPR Policy is up to date
b) A senior member of staff has been assigned the role of Data Protection Officer
c) Clear information has been provided to the data subject
d) Proper protections are in place
e) Processes exist for informing the EU authorities should a breech occur
f) An easy process exists for Data Subjects to request removal of their data
g) Processing agreements exist for third-party processors (if applicable)

9. REVIEW AND CHANGES TO THIS PRIVACY POLICY

The Immunologix Laboratories GDPR Policy will be reviewed at least annually to ensure
compliance with EU regulations. Updates will be published and available on the Immunologix
website (www.immunologixlabs.com/GDPR-policy/).

10. LEGAL STATUS OF THE IMMUNOLOGIX LABORATORIS GDPR POLICY

GDPR is designed to protect the privacy of Data Subjects who are citizens and legal residents of
the EU. All of Immunologix Laboratories operations reside within the United States, and
therefore operating outside the direct regulatory authority of the EU. However, Immunologix
may, occasionally, collect and handle data from EU citizens and residents and is therefore making
necessary efforts to comply with GDPR. Additionally, many of the concepts contained within the
GDPR apply to the California Consumer Privacy Act (CCPA) of 2018, which is a US state level
regulation regarding data protection for residents of California. The Immunologix Laboratories
GDPR Policy is not a contract, and it does not create any legal rights or obligations. Immunologix
reserves the right to modify or amend this policy at any time.

General inquiries regarding the processing of personal data should be submitted in writing to
info@immunologixlabs.com. To withdrawal consent for Immunologix Laboratories to use
personal data and have any personal data stored at Immunologix Laboratories deleted, contact
GDPR@immunologixlabs.com. A reply will be sent with a summary outlining the data stored
and the final data disposition.

APPENDIX A: EU SUPERVISORY AUTHORITIES
European Data Protection Board – https://edpb.europa.eu/edpb_en
Austria – https://www.dsb.gv.at/
Belgium – https://www.autoriteprotectiondonnees.be
Bulgaria – https://www.cpdp.bg/
Croatia – https://www.azop.hr/
Cyprus – https://www.dataprotection.gov.cy/
Czech Republic – https://www.uoou.cz/
Denmark – https://www.datatilsynet.dk/
Estonia – https://www.aki.ee/en
Finland – https://www.tietosuoja.fi/en/
Immunologix Laboratories GDPR Policy
Property of Immunologix Laboratories CONFIDENTIAL MATERIAL Page 5 of 6
France – https://www.cnil.fr/
Germany – https://www.bfdi.bund.de/
Note: Germany manages complaints among a number of local and state agencies and contacting
additional entities may be required to identify the proper regional authority.
Greece – https://www.dpa.gr/
Hungary – https://www.naih.hu/
Ireland – https://www.dataprotection.ie/
Italy – https://www.garanteprivacy.it/
Latvia – https://www.dvi.gov.lv/
Lithuania – https://vdai.lrv.lt/
Luxembourg – https://www.cnpd.lu/
Malta – https://www.idpc.org.mt/
Netherlands – https://autoriteitpersoonsgegevens.nl/
Poland – https://uodo.gov.pl/
Portugal – https://www.cnpd.pt/
Romania – https://www.dataprotection.ro/
Slovakia – https://www.dataprotection.gov.sk/
Slovenia – https://www.ip-rs.si/
Spain – https://www.aepd.es/
Sweden – http://www.imy.se/
APPENDIX B: EEA SUPERVISORY AUTHORITIES
Iceland – https://www.personuvernd.is
Liechtenstein – https://www.datenschutzstelle.li
Norway – https://www.datatilsynet.no
APPENDIX C: GDPR OUTSIDE OF EU/EEA
Switzerland (Swiss FDAP) – https://www.edoeb.admin.ch/edoeb/en/home.html
United Kingdom (UK GDPR) – https://ico.org.uk
California, USA (CCPA) – https://www.oag.ca.gov/privacy/ccpa