Telix’s commitment to maintaining your privacy
1. Background and purpose
Telix is a biopharmaceutical company focused on the development and commercialisation of diagnostic and therapeutic products using Molecularly Targeted Radiation. Telix is headquartered in Melbourne, Australia with regional offices in Belgium, Switzerland, Japan, and the United States. Telix collects and holds personal information necessary for us to carry out our business. We collect, use, and disclose your personal information in accordance with this Policy.
As an Australian-headquartered business, Telix and all of its subsidiaries are committed to protecting the privacy of information and to handling personal information in a responsible manner in accordance with Australian privacy legislation, including the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles (APPs), and relevant Australian State and Territory privacy legislation (collectively the Australian Privacy Law). Telix and its subsidiaries also act in accordance with applicable legislation concerning privacy in other countries and regions in which Telix operates, including but not limited to the General Data Protection Regulation 2016/679 (GDPR), UK Data Protection Act 2018 (amended 2020) (UK DPA), Swiss Federal Act on Data Protection (FADP), US Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Japanese Act on the Protection of Personal Information (APPI), collectively referred to as privacy laws).
This Policy applies to Telix’s handling of personal information or personal data regarding patients, healthcare professionals, customers, other third-party business associates, employees, and others and to the management of that personal information (collectively referred to as personal information). While this Policy is intended to establish a standard for our information processing activities globally, the laws of a particular country may limit the types of personal information we can collect or the manner in which we process that personal information. In those instances, Telix will comply with relevant local laws and regulations.
3.1 What information do we collect?
The types of personal information that we collect, and process may vary depending on your relationship with us as well as by jurisdiction based on applicable law. The term “personal information” under this Policy refers to information about an identifiable individual, and may include:
- Contact details: including your name, address, telephone numbers, email addresses and social media handles/usernames.
- Demographic information: such as gender, citizenship, date of birth.
- Personal information in reports you submit to us: if you submit information about our products and services through our websites (for example, through a suspected adverse event reporting form), we will collect any personal information you include within your report.
- Health information: for example, COVID vaccination status to ensure health and safety while attending Telix’s premises (where permitted by applicable privacy laws) or if you submit healthcare information to us reporting adverse events relating to our products.
- Employment information: if you apply for a job with us, we will collect information such as your employment history, references, and anything else you may include in the job application form or in any attachments such as CVs.
- Records of your discussions with us: when you contact us using the contact options on our websites (whether by email, phone, an online form or through social media (such as through Twitter or LinkedIn)), we may keep a record of the information you provide when doing this.
- Social media sites: we may collect aggregate statistical data and information you choose to share with us on social media (e.g., Twitter, LinkedIn, Facebook, YouTube).
- Location information: your smartphone or computer’s IP address may tell us your approximate location when you connect to our websites.
- Clinical trials: we may collect your personal information in the course of conducting clinical trials including the information provided when completing information sheets and forms, such as pre-treatment evaluation forms and patient consent forms.
3.2 How does Telix use my information
Telix collects and uses personal information to the extent necessary to conduct our business and pursue our legitimate business interests. Subject to applicable laws, we may collect, use, process and disclose relevant portions of your personal information in order to:
- administer, operate, facilitate and manage Telix’s business and your relationship with Telix, including communicating with you in relation to our business, products and services;
- fulfil a contract we may have with you, such as where you have made a purchase from us;
- facilitate our internal business operations, including fulfilling our legal and regulatory requirements;
- undertake medical research, including the recruitment of study participants and operation of clinical trials;
- enable you to report serious adverse events in relation to any of our products;
- enable you to apply for jobs or other opportunities at Telix;
- administer, operate and manage Telix’s website, including to contact any person in relation of the use of Telix websites and to create a personalised experience when using Telix websites; and/ or
- respond to any comments or complaints you send us.
3.3 Disclosure of information
Telix will not disclose your personal information to third party marketing or advertising businesses or sell or trade your personal information with third parties. There are, however, some occasions where Telix may be required to disclose your personal information to a third party in order to operate our business. These times are limited, but may include:
- Suppliers and agents: Telix may engage other businesses, certain services and individuals to assist with or perform functions or activities on our behalf. Examples include (a) clinics or hospitals (where treatment is received, and/or clinical trials are performed); (b) medical practitioners and related staff; (c) health insurers and health service providers; (d) persons to whom certain functions are outsourced (e.g. information technology support, payment servers, wireless carriers, system analysis providers, and data storage providers); (e) auditors and insurers; (f) government and law enforcement agencies and regulators; and (g) entities established to help identify illegal activities and prevent fraud. They may have access to some personally identifiable information needed to perform their functions.
- Company reorganisation: to a third party in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
- Where necessary or appropriate: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our subsidiary companies ; (f) to protect our rights, privacy, safety or property, and/or that of our subsidiary companies you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
3.4 Direct Marketing
Telix does not generally engage in direct marketing activities. However, on occasion Telix may communicate with individuals by email and other forms of communication and where applicable according to privacy laws, based on your consent. If any person does not want to receive emails and/or other communications from Telix, they can inform Telix at any time. Any person may opt out of electronic communications by contacting Telix using the contact details provided in section 3.12 below.
3.5 Sensitive Information
- necessary to lessen or prevent a serious threat to life, health or safety;
- necessary pursuant to a legal requirement;
- required for another permitted general situation (as defined in Section 15A of the Privacy Act 1988 (Cth) or other international privacy laws); or
- for a permitted health situation (as defined in Section 16B of the Privacy Act 1988 (Cth) or other international privacy laws).
3.6 How does Telix protect your information?
Telix takes all reasonable steps to ensure the security of our systems and to protect your information from misuse, interference, and loss as well as unauthorised access, modification, or disclosure. Telix limits access to personal information by our employees and service providers, except as described in this Policy. Any employee or service provider who does have access to your personal information is under an obligation to keep such information confidential.
Your information is stored on high security servers. Where we use a data storage partner, we will make that selection based primarily on their level of security, reliability and experience in the storage and treatment of data, including personal information.
In the event of a data breach, Telix is committed to complying in all respects with the requirements of all relevant privacy laws, where required, including but not limited to, the provisions of the Australian Privacy Law, the GDPR, the UK DPA, the HIPAA and the APPI. Telix has in place data breach policies and plans which applies when handling personal information breaches related to the Data Protection Laws applicable to Telix.
The transmission of information via the internet is not completely secure. Telix cannot guarantee the security of personal information transmitted via the internet. Any transmission to our websites is at your own risk.
3.7 Overseas Recipients
Telix businesses and third parties to whom we may provide your personal information are located in countries including, but not limited to Australia, Austria, Belgium, Brazil, Canada, France, Germany, Greece, Japan, Netherlands, New Zealand, Spain, Sweden, Switzerland, the United Kingdom, and the United States of America. By sharing personal information with Telix, that personal information may be transferred to, or be accessible by businesses in other countries that form part of the Telix group.
When disclosure is to be made to an overseas entity, Telix will take reasonable steps to assess the privacy laws of the country where information will be disclosed to determine whether the overseas recipient is required to comply with privacy laws that are at least as stringent as the privacy laws of its existing operations in relation to the information.
If Telix transfers personal information originating from the European Union (the EU) to countries outside the EU it will only do so in accordance with the GDPR, i.e. no data will be transferred in a third country before having introduced appropriate measures to ensure a suitable level of data protection. The GDPR requires that one of the following conditions applies to such transfer:
- the European Commission has decided that the country provides an adequate level of protection for your personal information (in accordance with Article 45 of the GDPR);
- the transfer is subject to a legally binding and enforceable commitment on the recipient to protect the personal information (in accordance with Article 46 of the GDPR);
- the transfer is made subject to binding Standard Contractual Clauses adopted by the European Commission (in accordance with Article 46 of the GDPR);
- the transfer is made subject to binding corporate rules (in accordance with Article 47 of the GDPR); or
- the transfer is based on a derogation from the GDPR restrictions on transferring personal information outside of the EU (in accordance with Article 49).
Telix also ensures that any third party it uses to store or process information (generally referred to as “data controllers” under the GDPR) is compliant with GDPR and where necessary, will seek evidence of compliance with the Standard Contractual Clauses for data transfers from each data processor it uses.
Similar principles will apply if Telix transfers personal information originating from the United Kingdom (the UK) to countries outside the UK or from Switzerland (the CH) to countries outside the CH, according to UK DPA and FADP respectively.
3.8 Your Rights: data accuracy and access
Telix strives to keep your personal information accurate. We provide individuals with reasonable access to their personal information so that they can review and correct it or ask us not to use it (subject to applicable laws). We do not charge for this service and will respond to reasonable requests in an appropriate timeframe. If you wish to exercise your rights, please contact us using the contact details in section 1.12 below.
In case your personal information is subject to EU GDPR, UK DPA and/or Swiss FADP, you are also entitled to the following rights: right of access, right of rectification, right to erasure, right to restrict processing, right to object, right to data portability. In case you wish more information about your rights, please contact us using the contact details in section 3.12 below.
3.9 Data Retention
Generally, Telix will retain your personal information as long as it is necessary to achieve Telix’s processing activities. This especially applies where the use of your personal information is under the scope of EU GDPR, UK DPA and/or Swiss FADP.
You may also ask us to delete such information (subject to applicable laws). If you ask us to delete your personal information at any time, be aware that Telix cannot guarantee that it will be able to delete such information from back-ups or caches of our databases, however we will ensure that we do not actively access such data.
This Policy may be changed from time to time to reflect changes in law or changes in our practices concerning the collection and use of personal information. If we make changes that materially alter your privacy rights, Telix will provide additional notice, typically via email.
If any person has a complaint about the privacy of their personal information, Telix requests that they contact Telix in writing at the email below. Upon receipt of a complaint Telix will consider the details and attempt to resolve the matter in accordance with Telix complaints handling procedures.
Telix will respond to the complaint within a reasonable time, and Telix may seek further information from the person in order to provide that person with a full and complete response.
If any person is dissatisfied with Telix’s handling of a complaint or the outcome, they may make an application to their relevant country Data Protection Authority (if applicable).
For Australian complaints
Office of the Australian Information Commissioner (OIAC)
175 Pitt Street
Sydney NSW 2000
Phone 1300 363 992 (Monday–Thursday 10am–4pm AEST/AEDT)
Fax +61 2 9284 9666
For EU complaints
Please find the name and contact details of all EU Member States Supervisory Authorities here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
For UK complaints
Information Commissioner’s Office (ICO)
Phone: 0303 123 1113
Fax: 01625 524510
For Switzerland complaints
Federal Data Protection and Information Commissioner (FDPIC)
CH – 3003 Berne
Phone: +41 (0)58 462 43 95 (mon.-fri., 10-12 am)
Fax: +41 (0)58 465 99 96
For US HIPAA complaints
U.S. Department of Health & Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-800-368-1019
TTD Number: 1-800-537-7697
For Japanese complaints
Personal Information Protection Commission Japan
Kasumigaseki Common Gate West Tower 32nd Floor,
3-2-1, Kasumigaseki, Chiyoda-ku, Tokyo, 100-0013, Japan
For other countries, refer to the relevant responsible country regulator.
3.12 Contacting us
If you have questions regarding this Policy, or privacy concerns (including about your personal information handling, your rights, or your data transfers) or complaints, please contact our Privacy Officer via firstname.lastname@example.org who will guide you on the process to follow to satisfy your request according to local applicable privacy laws.