Our privacy policy outlines how we collect, use, and protect your personal data.
It also details your rights and options regarding your information.
It also details your rights and options regarding your information.
Introduction
This notice applies to individuals based in the UK/EU who are either participants within specific clinical trials or employees of LUMA Vision Ltd and LUMA Vision GmbH.
LUMA Vision respects your privacy and is committed to protecting your Personal Data.
This Notice details how your Personal Data is treated, the privacy rights you have according to applicable laws (including the General Data Protection Regulation (GDPR)) and how the law protects you.
Controller
LUMA Vision has two legal entities in which they are separate controllers of the personal data to which this privacy notice relates: LUMA Vision Ltd and LUMA Vision GmbH (referred to as LUMA Vision, “we”, “us” or “our” in this privacy notice).
This means that we are responsible for making sure that we process your data in compliance with the GDPR regulations.
We have appointed a data protection officer (“DPO”) whose role includes overseeing questions in relation to how we process your personal data. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO using the details set out below.
Contact details for Munich
LUMA Vision GmbH
Email address: [email protected]
Our postal address: LUMA Vision GmbH, Balanstr. 69b, 3rd Floor, 81541 Munich, Germany
Contact details for Dublin
LUMA Vision Ltd
Email address: [email protected]
Our postal address: LUMA Vision, Block C Parkview House, Beech Hill Office Campus, Beech Hill Road, Dublin D04 K5D0, Ireland
Our outsourced DPO contact details are
DPO contact name: Kaleidoscope Consultants
DPO email address: [email protected]
Transferring data
In general, your personal data is only processed inside of LUMA Vision and not shared with third parties. In some cases, it may be necessary to share your personal data with associated companies or service providers. In such cases we have concluded respective data processing agreements (Art. 28 GDPR) or joint controller agreements (Article 26 GDPR) to ensure the lawfulness of the transfer and secure your personal data.
Personal data processed
| Purposes of processing | Types of individuals | Types of personal data | Retention period | Lawful basis |
| Project management, financial records. | Partners, Clients/staff or staff of suppliers and organisations associated with client projects. | Name, work email address, work telephone numbers. | 8 years after last payment. | Article 6(1)(b) – contract. |
| Financial records and account management. | Suppliers. | Name, work email address, work telephone numbers. | 8 years after last supply. | Article 6(1)(b) – contract. |
| Marketing of products and services, invitation to events, networking. | Potential clients and suppliers. | Name, email address, telephone number, organisation, job title. | 2 years from last contact. | Article 6(1)(a) – consent. |
| Recruitment. | Applicants or persons who are interested in working at LUMA Vision. | Name, address, contact details and application data. | In principle, the data is deleted as soon as it is no longer required for the selection of applicants. In the case of unsuccessful applications, your data will be deleted six months after the rejection decision unless longer storage is required due to legal disputes. | § 26 (1) BDSG, Article 6(1)(b) – pre-contractual measures and contract or Article 6(1)(a) – consent. |
| Employment, contract, sickness, holiday, pension, payroll, emergency contract in case of injury or illness. | Employees and contractors. | Name, email address, telephone number, address date of birth, social security number, Emergency contact details. | 8 years after leaving. | Article 6(1)(b) – contract
Exemption – Article 9(2)(h) |
| Pension, basic staff record to allow for factual employment verification. | Previous employees. | Name, email address, telephone number, address, birthday, social security number. | We will follow the pension regulator retention schedule or employment law. | Article 6(1)(c) legal obligation. |
| To conduct research | Patients who register their interest and participate and study team professionals who conduct the research. | Name, contact details, study ID and health data. | 25 years (EEA). | Article 6(1)(f) – legitimate interest and Article 9(2)(j) research. |
| To ensure our patients are safe throughout the research. | Patients who participate in the research and study team professionals who conduct the research. | Name, contact details, study ID and health data. | 25 years. | Article 6(1)(c) legal obligation and Article 9(2)(i) in the public interest to ensure high standards of quality and safety. |
| Communicating regarding any concerns, queries or complaints. | All patients. | Name, contact details, any relevant information including health. | 7 years. | Article 6(1)(f) legitimate interest and Article 9(2)(i) in the public interest to ensure high standards of quality and safety. |
| Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary. | All patients. | All personal data held by LUMA Vision where necessary. | 78 years. | Article 6(1)(c) legal obligation and Article 9(2)(f)/(g) in the substantial public interest/or Article 9(2). |
Further purposes
If necessary, we process your data for additional purposes:
- Satisfying our legitimate interests (Article 6(1)(f) GDPR), including the following:
- to complete a corporate transaction (e.g., corporate restructuring, sale or assignment of assets, merger);
- to protect, enforce and defend our rights, property and interests;
- Ensuring compliance with legal obligations, court orders or other binding decisions of public authorities (Article 6(1)(c) GDPR).
- As a contractual/statutory requirement according to Article 13(2)(e) GDPR.
Your rights
Please contact the organisation’s Data Protection Officer at [email protected] if you wish to exercise your rights as described within table below.
LUMA Vision will endeavour to provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. Not all rights are absolute, and exemptions may apply, to find out more please contact us at the above email address.
| Right | Meaning |
| Access GDPR Article 15 | You may request a copy of the data held by us about you. |
| Rectification GDPR Article 16 | If you think the data held by us is wrong and you may request that it is corrected. |
| Erasure (Right to be forgotten) GDPR Article 17 | You can request that your data is deleted by us.
|
| Restriction GDPR Article 18 | There are circumstances in which you may ask us to stop processing your data but we must otherwise keep the data. For example, where required by law. |
| Portability GDPR Article 19 | You can ask for a copy of your data in a format that can be readily transferred to another company. |
| Objection GDPR Article 20 | You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing. |
| Automated decisions GDPR Article 22 | Where a computer makes a decision about you without a human intervention, for example if an online loan application, you have the right to know how the decision was arrived at. |
Complaints
If you have any complaints regarding our use of personal data, our Data Protection Officer can be contacted at [email protected]. In the event we cannot resolve your complaint immediately, you have the right to complain to the relevant supervisory authority.