In 2000, the federal government of Canada enacted The Protection of Personal Information and Electronic Documents Act. Effective January 1, 2004, all organizations that collect, use or disclose personal information in the course of their commercial activities will be subject to PIPEDA or substantially similar provincial legislation.
While this policy applies strictly to personal information, other Compugen policies also apply to the privacy and confidentiality of customer information and data. Please see the Policies Procedures and Programs document for details. Moreover, this policy is subject to other Compugen policies, including, but not limited to the E-mail and Internet usage and attendance policies.
General Data Protection Regulation (GDPR) of the European Economic Area
EU residents have special rights under GDPR
Compugen adheres to applicable data protection laws in the EEA, which provide certain rights relating to personal data (for European Union residents), subject to legal exceptions. These rights are outlined in ANNEX B.
Residents of California and the California Consumer Privacy Act, 2018
Residents of California have additional rights under the California Consumer Privacy Act, 2018, which came into effect 1 January 2020. These rights are described in ANNEX C.
Other Data Protection Regulations
Individuals in countries outside of the European Economic Area may exercise their rights under any applicable data protection laws by contacting us in accordance with the “How to contact us” section, below.
Compugen - means Compugen Inc.
Collection - means the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
Consent - means voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require an inference on the part of Compugen. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
Customer - means an identifiable individual who:(a) uses, or applies to use, the products or services of Compugen;
Disclosure - means making personal information available to third parties outside of Compugen.
Employee - means an employee or former employee of Compugen
Personal information - means information about an identifiable individual recorded in any form and includes, but is not limited to, such things as race, ethnic origin, nationality, colour, age, gender, marital status, religion, education, medical information, performance reviews, benefits information, employment and financial history, income, home address or home telephone number, personal email address, numerical identifiers such as Social Insurance Number, and personal opinions. Personal information also includes information about an identifiable individual’s product and service purchases and usage, credit information, billing records, service and any recorded complaints and, in the case of a staff member, includes information found in personal employment files. Publicly available information, such as a public directory listing of names, addresses, telephone numbers and electronic addresses, however, is not considered personal information.
Privacy legislation - means The Personal Information Protection and Electronic Documents Act (Canada) and/or substantially similar provincial legislation.
Staff member – means an employee or former employee of Compugen’s
Third party - means an individual other than the customer/staff member or his or her agent or an organization other than Compugen.
Use - means the treatment, handling and management of personal information by Compugen.
THE TEN PRIVACY PRINCIPLES
PRINCIPLE 1 - ACCOUNTABILITY
1.2. The name and contact information of the CPO shall be made available on the Compugen website at www.compugen.com, and the Compugen Intranet site and shall be made available upon request.
1.3. Each Compugen department shall be responsible for the personal information in its possession or custody, including information that has been transferred to a third party for processing. Each Compugen department shall use contractual or other appropriate means to ensure a comparable level of protection while the information is being processed by a third party.
(a) implementing procedures to protect personal information such as the adoption of physical, organization and technological security measures;
(b) establishing procedures to receive and respond to complaints and inquiries through the establishment of a confidential e-mail address;
(c) training and communicating to staff members information about the Compugen privacy policies and practices; and
(d) developing public information to explain Compugen’s policies and procedures.
PRINCIPLE 2 - IDENTIFYING PURPOSE
Compugen will identify the purpose for which personal information is collected at or before the time the information is collected. The purposes for which information is collected, used or disclosed by Compugen must be those that a reasonable person would consider are appropriate in the circumstances.
2.1. Compugen will document the purposes for which personal information is collected in order to comply with the Openness principle (See Principle 8) and the Individual Access principle (See Principle 9).
2.2. Identifying the purposes for which personal information is collected at or before the time of collection allows Compugen to determine the information it needs to collect to fulfill these purposes. The Limiting Collection principle (Principle 4) requires Compugen to collect only that information necessary for the purposes that have been identified.
2.3. The identified purposes for which personal information is collected shall be specified at or before the time of collection to the staff member or customer from whom the personal information is collected. Depending upon the way in which the information is collected, this shall be done orally or in writing.
2.4. When Compugen proposes to use personal information that has been collected for a purpose not previously identified, it will identify the new purpose before using such personal information. Unless the new purpose is required by law, or consent is otherwise not required pursuant to privacy legislation, the consent of the individual shall be obtained before the personal information is used for the new purpose.
2.5. Individuals responsible for collecting personal information on behalf of Compugen will explain to employees or others the purposes for which the information is being collected, including any purposes that may not be immediately obvious to the individual.
2.6 The purposes for which the personal information of staff members is collected may include but are not limited to: administering payroll and employee benefit programs; conducting performance evaluations and discipline; effecting employee training; conducting internal reviews, investigations and complaint resolution processes; facilitating transactional due diligence reviews; complying with legal and regulatory obligations.
2.7 The purposes for which the personal information of customers is collected may include, but are not limited to: processing commercial transactions; communicating with customers; establishing and maintaining commercial relations; developing, marketing or providing products and services; recommending particular products and services; conducting market research and surveys; managing and developing business opportunities; conducting investigations and complaint resolution processes; facilitating transactional due diligence reviews; complying with legal and regulatory obligations.
2.8 Anonymous or “non-personal” information gathered by Compugen through its web site may be used for technical, research and analytical purposes. Information collected through surveys, existing files and public archives may be used by Compugen to analyze its markets and to develop or enhance service offerings.
PRINCIPLE 3 - CONSENT
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where consent is not required by privacy legislation
3.1. Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Generally, Compugen will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to the use or disclosure of personal information may be sought after the information has been collected but before the personal information is used (for example, when Compugen wants to use information for a purpose not previously identified). In obtaining consent, Compugen shall use reasonable efforts to ensure that an employee or customer is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood.
3.2. In certain circumstances personal information may be collected, used or disclosed without the knowledge and consent of the individual. For example, Compugen may collect or use personal information without the knowledge or consent of its employees and/or customers if the collection or use of personal information is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a seriously ill or mentally incapacitated or if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law. Personal information may also be used or disclosed without the knowledge or consent of the individual in the case of an emergency where the life, health or security of an individual is threatened. Compugen may disclose personal information without knowledge or consent to a lawyer representing the company, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.
3.3. Compugen will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
3.4. In obtaining consent, Compugen will take into account the sensitivity of the personal information and the reasonable expectations of its customers and staff members. Consent will not be obtained through deception. For example: An individual filing an application for employment with Compugen would reasonably expect that his or her age and marital status would be used for the purposes of administering benefit plans. A staff member filing an application for dental coverage plan would reasonably expect that the relevant information (employee identification number, name, date of birth) would be collected, used and communicated to third parties in accordance with the dental coverage and for such period of time as the coverage was in effect.
3.5. The way in which Compugen seeks consent may vary, depending on the circumstances and the type of information collected. Compugen will generally seek express consent when the information is likely to be considered sensitive. It will rely on implied consent only where collection and use of the personal information is directly related to a transaction or exchange of information in which the individual is directly participating. Consent may also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
3.6 Consent may be obtained in any one of the following ways: an application form may be used to seek consent, collect information and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses. consent may be given orally when information is collected over the telephone;
or consent may be given at the time that individuals use a product or service.
3.7 Generally, the use of products and services by a customer, or the acceptance of employment or benefits by a staff member, constitutes implied consent for Compugen to collect, use and disclose personal information for all identified purposes.
3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Compugen will inform individuals of the implications of withdrawing consent.
PRINCIPLE 4 - LIMITING COLLECTION
Compugen shall limit the collection of personal information to that which is necessary for the purposes identified by the company. Personal information shall be collected by fair and lawful means.
4.1 Compugen will not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. Compugen shall specify the type of information collected as part of its information-handling policies and practices, in accordance with the Openness principle (Principle 8).
4.2 Consent to the collection of personal information must not be obtained through deception.
PRINCIPLE 5 - LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected.
5.1 Where Compugen intends to use personal information for a purpose not previously identified, Compugen shall document the new purpose and shall obtain the consent of the individual prior to using the information for a new purpose.
5.2 Compugen may disclose the personal information of its staff members: to human resources, payroll, benefits, information management personnel; to third party service providers for the purposes of administering payroll and benefits programs; to internal or external legal counsel and auditors; to the Chief Privacy Officer to management personnel in the context of providing references regarding current or former staff members in response to requests from prospective employers and/or financial institutions; to prospective parties in the context of a transactional due diligence review; and where disclosure is required by law.
5.3 Compugen may disclose the personal information of its customers: to third party service providers, including distributors, sub-contractors and manufacturers; to internal or external legal counsel and auditors; to the Chief Privacy Officer of Compugen; to the management personnel of Compugen; to third parties for the development, enhancement or marketing of Compugen’s products or services; to an agent retained by the Compugen in connection with the collection of the customer’s account; to credit grantors and reporting agencies; to a third party or parties, where the customer consents to such disclosure; to prospective parties in the context of a transactional due diligence review; and where disclosure is required by law.
5.4 Except as required or permitted by law, when disclosure is made to a party other than a third party provider of personal information processing services, the consent of the individual shall be obtained and reasonable steps shall be taken to ensure that any such third party has personal information privacy procedures and policies in place that are at least comparable to those implemented by Compugen.
5.5 Unless otherwise expressly authorized, Compugen will not sell, lease or trade the personal information of its staff members or customers to other parties.
5.6 Personal information shall be kept only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about an employee or customer, Compugen shall retain, for a period of time that is reasonably sufficient to allow for access by the staff member or customer, either the actual information or the rationale for making the decision.
5.7 Personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained, shall be destroyed, erased or made anonymous.
PRINCIPLE 6 - ACCURACY
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by Compugen shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual staff member or customer. The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual.
6.2 Compugen will not, however, routinely update personal information, unless this is necessary to fulfill the purposes for which the information was collected. Personal information about staff members and customers shall be updated only as and when necessary to fulfill the identified purposes or upon notification by the individual.
6.3 Compugen shall ensure that personal information that is used on an ongoing basis, including information that is disclosed to third parties, is generally accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
PRINCIPLE 7 - SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
7.1 Compugen will implement security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.
7.2 The nature of the safeguards will vary depending on (i) the sensitivity of the information that has been collected, (ii) the amount, distribution and format of the information, and (iii) the method of storage.
7.3 Physical measures such as locked filing cabinets and restricted access to offices, organizational measures such as security clearances and limiting access on a “need-to-know” basis, and technological measures such as the use of passwords and encryption have been adopted by Compugen.
7.4 Each staff members of Compugen shall be made aware of the importance of maintaining the confidentiality of personal information.
7.5 Personal information disclosed to third parties shall be protected by contractual agreement stipulating the confidentiality of the information and the purposes for which it is to be used.
PRINCIPLE 8 - OPENNESS
Compugen shall make readily available to its customers and staff members specific information about its policies and practices relating to the management of personal information.
8.1 Compugen will be open about its policies and practices with respect to the management of personal information. Customers and staff members shall be able to acquire information about the Compugen policies and practices with respect to the management of personal information without unreasonable effort.
8.2 Such information shall be made available through the Compugen web and intranet sites and shall include: the name or title, and the address, of the Chief Privacy Officer; the means of gaining access to personal information held by the Company; copies of any information that explains the Compugen policies, standards or codes;
PRINCIPLE 9 - INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information except where Compugen is permitted or required by law not to disclose personal information to the individual customer or employee. An individual customer or employee shall be able to challenge the accuracy and completeness of the information disclosed to him or her and have it amended as appropriate.
9.1 Upon request, Compugen shall inform an individual customer or employee whether it holds personal information about that individual (except where permitted or required by law not to disclose personal information) and shall afford the individual a reasonable opportunity to review the personal information in his or her file at minimal or no cost to the individual. Compugen shall provide an account of the use that has been made or is being made of the personal information and an account of the third parties to which the personal information has been disclosed. Where reasonably possible, Compugen shall indicate the source of the personal information.
9.2 In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit Compugen to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.
9.3 In certain situations, Compugen may not be able to provide access to all of the personal information that they hold about a customer or staff members. For example, Compugen is not required to provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Similarly, Compugen may not be required to provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, Compugen shall provide the reasons for denying access upon request.
9.5 Compugen will respond to an individual’s request within a reasonable time and in any event within thirty (30) days of the request. The time for responding to a request may be extended for up to an additional thirty (30) days if meeting the time limit would unreasonably interfere with the activities of Compugen, or if the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet. Compugen may also extend the time for responding for such period of time as is necessary to be able to convert the personal information into an alternative format. Compugen will provide notice to the individual of any extension taken within thirty (30) days of the individual’s request and will advise the individual of the right to make a complaint to the Privacy Commissioner about the extension. They will provide the requested information or make it available in a form that is generally understandable. For example, if abbreviations or codes are used to record information, Compugen will provide a corresponding explanation.
9.6 Upon request by an individual with sensory disabilities, Compugen will give access to personal information about the individual in an alternative format if a version of the information already exists in that format or if its conversion to an alternative format is necessary to allow the individual to exercise rights to request correction, challenge compliance of Compugen under Principle 10 or file a formal complaint pursuant to applicable privacy legislation.
9.7 Compugen shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to the accuracy or completeness shall be noted in the individual’s file. Where appropriate, Compugen shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
PRINCIPLE 10 - CHALLENGING COMPLIANCE
10.1 Compugen shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and staff members about the company's handling of personal information.
10.2 Compugen will inform its customers and staff members about the existence of these procedures as well as the availability of complaint procedures.
10.4 If an individual is not satisfied with the response from the Chief Privacy Officer, he or she may have recourse to additional remedies under applicable privacy legislation. For further information, contact the applicable governmental agency listed in the attached ANNEX A.
HOW TO CONTACT US
Write to Andrew Stewart, VP Human Resources, 100 Via Renzo Drive, Richmond Hill, Ontario, Canada L4S 0B8; email: email@example.com; phone: (905) 707-2058.
This policy is effective as of January 1, 2004.
The current version of this policy was issued January 8, 2020.
ANNEX A: GOVERNMENT AGENCIES
Federal Privacy Commissioner
112 Kent Street
Ottawa, ON K1A 1H3
Phone: (613) 995-8210
Toll Free: (800) 282-1376
Fax: (613) 947-6850
Information Management, Access and Privacy Division
Alberta Government Services
16th Floor, 10155 - 102 Street
Edmonton, AB T5J 4L4
Office Phone: (780) 422-2657
Help Desk Phone: (780) 427-5848
Fax: (780) 427-1120
Corporate Privacy and Information Access Branch
Information, Science and Technology Agency
Government of British Columbia
Phone: (604) 660-2421
Minister of Culture, Heritage and Tourism
Information Resources Division
3 - 200 Vaughan Street
Winnipeg, MB R3C 1T5
Phone: (204) 945-2142
Fax: (204) 948-2008
Province of New Brunswick
767 Brunswick Street
P.O. Box 6000
Fredericton, NB E3B 5H1
Phone: (506) 453-2789
Fax: (506) 453-5599
NEWFOUNDLAND AND LABRADOR
Director of Legal Services
Department of Justice of Newfoundland and Labrador
P.O. Box 8700
St. John’s, NL A1B 4J6
Phone: (709) 729-2893
Fax: (709) 729-2129
Department of Justice
Policy and Planning Division
Government of Northwest Territories
P.O. Box 1320
Yellowknife, NT X1A 2L9
Phone: (867) 873-7015
Fax: (867) 873-0307
Nova Scotia Department of Justice
5151 Terminal Road
P.O. Box 7
Halifax, NS B3J 2L6
Phone: (902) 424-4030
Information and Privacy Commissioner of Nunavut
5018, 47th Street
Yellowknife, NT X1A 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
Information and Privacy Office
Office of the Corporate Chief Strategist
Management Board Secretariat
8th Floor, Ferguson Block
77 Wellesley Street West
Toronto, ON M7A 1N3
Phone: (416) 327-2187
Fax: (416) 327-2190
PRINCE EDWARD ISLAND
Office of the Attorney General
Fourth Floor, Shaw Building
95 Rochford Street
P.O. Box 2000
Charlottetown, PE C1A 7N8
Phone: (902) 368-4550
Fax: (902) 368-5283
Ministère des relations avec les citoyens et de l’immigration
Director of Communications
360, rue McGill, 2nd Floor
Montréal, QC H2Y 2E9
Phone: (514) 873-4546
Fax: (514) 873-7349
11th Floor, 1874 Scarth Street
Regina, SK S4P 3V7
Phone: (306) 787-5473
Fax: (306) 787-5830
Information & Communications Technology Division
Department of Infrastructure
Government of Yukon
2071 - 2nd Avenue
Whitehorse, YT Y1A 2C6
Phone: (867) 393-7048
Fax: (867) 393-6916
ANNEX B: GENERAL DATA PROTECTION REGULATION (GDPR) OF THE EUROPEAN ECONOMIC AREA
EU residents have special rights under GDPR
Compugen adheres to applicable data protection laws in the EEA, which provide certain rights relating to personal data (for European Union residents), subject to legal exceptions. These rights include:
• the right of the EU residents to access personal data that we hold about them.
• the right of the EU residents to rectify inaccurate or incomplete personal data we hold about them without undue delay,
• the right of the EU residents to ask us to erase their personal data (the right to be forgotten) without undue delay, subject to legal exceptions.
• the right of the EU residents to restrict the processing of their personal data, subject to legal exceptions.
• the right of the EU residents to receive their personal data from us in a structured, commonly-used, machine-readable format and to transmit their personal data to a third party without obstruction (right to data portability), subject to legal exceptions.
• where we process personal data based on personal consent, EU residents have the right to withdraw at any time their consent for future processing.
• where we process personal data based upon our legitimate interests or those of a third party, EU residents have the right to object to the processing of their personal data at any time (including objecting to any profiling).
• where we process personal data for direct marketing purposes, EU residents have the right to object to processing of personal data at any time, including profiling to the extent that it is related to such direct marketing.
• the right of EU residents not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
EU residents may lodge a complaint with a data protection supervisory authority if they believe that their data protection rights relating to their personal data have been breached by Compugen or that their personal data has been compromised in some way. A list of data protection authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. residents may contact Compugen with requests, complaints or questions regarding these rights as set forth in the “How to contact us” section, above.
ANNEX C: RESIDENTS OF CALIFORNIA AND THE CALIFORNIA CONSUMER PRIVACY ACT, 2018
The California Consumer Privacy Act, 2018 (‘CCPA’), came into effect on January 1, 2020.
Under this Act and its regulations, California residents have certain rights regarding personal information collected by businesses that are within any one of the following descriptions:
• earning gross annual revenue in excess of $25M (wherever earned), or
• doing business with 50,000 or more California consumer customers (individual consumers or households), or
• earning more than 50% of its annual revenue through the sale of consumers’ personal information (wherever obtained).
Such businesses have obligations regarding personal information that they may collect and store in the process of transacting business with those consumers.
The principal obligations of Compugen under the CCPA are:
• ensuring consumer data is complete, accurate and stored securely;
• ensuring policy documents are current;
• ensuring that processes allow for consumers in California to receive their personal information from Compugen, access it and delete it (subject to certain legal limitations);
• receiving, authenticating and acting within the regulations on consumer requests within the regulatory time frame;
• training staff in the relevant processes required by the regulation;
• ensuring data inventory processes are up to date and adequate to the regulatory requirements;
• enforcing a 12-month opt out rule for the sale of personal data to third parties.
In compliance with these corporate obligations, residents of California may contact Compugen’s Chief Privacy Officer (firstname.lastname@example.org) to obtain copies of any personal information that may have been collected or stored about them, and request its correction or deletion as may be required and permitted by law. Such requests will require proof of identity of the requestor satisfactory to Compugen, such as a copy of a bill of sale and provision of related personal information that may have been collected as part of the transaction.
updated 10 January 2020