Effective January 1, 2020
1. Types of Personal Information We Collect
The following list describes the general categories of Personal Information we have collected or otherwise received in the past 12 months along with examples of some of the types of information within these categories that may qualify as Personal Information and which we may have collected or otherwise received. It also describes the categories of such information we may continue to collect and our uses of it. The examples are not intended to be comprehensive, and there may be overlap between categories.
- Contact information and other identifiers, such as name, signature, postal address, email address, phone number, fax number, account name, Social Security number, tax identification number, photographs, copies of identification documents (e.g., passport, driver’s license), and other similar identifiers
- Unique device and online identifiers, such as IP address, device IDs, browsing history, and other similar identifiers
- Demographic and association-related information, such as age and date of birth, place of birth, residency information, sex, information on other characteristics of protected classes individuals may provide us, information required for background checks on job applicants once an offer of employment has been extended, family member information, authorized signatories, and information on parties associated with an account5
- Commercial and financial information, such as records of property, products, or services purchased, obtained, or considered; other investing or consuming histories or tendencies; information on investments, assets, expenses, accounts, net worth, tax information, holdings, account balances, transaction history, utility bills, bank statements, credit history, and trust and estate planning documents
- Internet or other electronic activity information, such as information regarding an individual’s interaction with a website or application, and calls and emails sent and received
- Geolocational information that may be collected on OrbiMed contractors and vendors as they use OrbiMed systems
- Audio, electronic, visual, thermal, or olfactory information, such as photographs, video footage, and voicemail
- Educational and professional background information, such as degrees or certifications sought and obtained, other qualifications, references, resumes, information on positions held, work performance and work product, and military service history
We may also receive other Personal Information that you or others provide us or store on our systems, such as in communicating or otherwise interacting with us, providing a reference, or attending an event with us.
2. Sources of Personal Information
In the ordinary course, we collect or otherwise receive the categories of Personal Information above from a variety of sources, including from you directly or from someone who knows you or through automatic collection on our websites. In particular, we may obtain Personal Information: from an individual data subject or a relation of the data subject, such as from personal or business contacts of clients and investors (e.g., financial institutions, advisors, consultants, and other intermediaries or representatives) or other data subjects (e.g., recruiters or references for job applicants); other business contacts of OrbiMed personnel (e.g., financial institutions, service providers, consultants or advisors); research and subscription services; publicly-available sources; governmental agencies, supervisory authorities, and tax authorities; background check companies, credit agencies, or fraud prevention and detection agencies; automated collection on our websites (including through cookies), applications, devices, systems, and networks; or from business and other records legally available to us.
3. Uses of Personal Information
With respect to each of the categories of Personal Information above, we may collect and use the information for the following purposes:
- Administering the relationship between and serving investors and clients
- Business operations, including but not limited to: securing credit or financing; managing administrative and operational matters; administering our service provider, contractor, and vendor relationships and services; auditing; conducting research and analysis; designing and improving operations, products, and services; and managing risk
- Marketing our products and services
- Complying with applicable legal or regulatory requirements and OrbiMed policies and contracts, responding to valid legal requests, assessing and investigating compliance, and other legitimate business and commercial purposes
- Monitoring, managing, and securing resources, property, and personnel
- Enforcing or defending our rights
- Recruiting, hiring, performance and talent management
- Sharing with third parties that may in the future acquire or be interested in acquiring all or part of our assets or interests in our business, or that may succeed us in carrying on our business or to which our business is transferred
- As described to you when collecting the information
We rely upon grounds permitted under applicable law to process your Personal Information. Such grounds include instances where you have given your consent and cases where your consent is not required under applicable law, such as: where we are required to comply with a legal obligation; where necessary for the performance of a contract entered into with you; or where we (or a third party) determine that it is necessary for our legitimate interests, i.e., in operating and managing our business, including, in addition to the purposes noted above, for other legal, personnel, administrative, and management purposes; the prevention and detection of crime; and any other purpose where we or a third party have determined that you have a reasonable expectation that we or a third party would collect or use your Personal Information for such purpose. If you are an individual in the European Economic Area (the “EEA”) / United Kingdom (the “UK”), you have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. However, we may not be able to fulfil such requests.
4. Consequences of Failing To Provide Personal Information
As a regulated financial services firm, we are subject to legal and regulatory obligations that may require us to collect and store your Personal Information, such as the requirements to comply with the applicable law on the prevention of financial crime, tax and regulatory reporting, or the rules on recording and monitoring of communications (as described below). We may also need to collect and use your Personal Information for the purposes of entering into or performance of a contractual arrangement.
There may be various consequences to refusing to provide us with your Personal Information, depending on the purpose for which the information is required. For instance, we may not be able to communicate with you, we may need to terminate any service or other contractual arrangement between us, or—where we have a reasonable suspicion of illegal activity—we may be required to make a report to regulatory or enforcement agencies.
5. Sharing Personal Information
We have disclosed for a business purpose in the last 12 months, and may continue to disclose for a business purpose, each of the categories of Personal Information in Section 1 above.
We may share Personal Information with the following types of third parties:
- Our affiliates or other entities that are part of our group or with our clients
- Third parties (including regulators and courts) to comply with legal or regulatory obligations or in response to valid legal requests, including to the extent required by law, regulation, subpoena or court order or otherwise in connection with a judicial, administrative or governmental proceeding or as requested by any governmental agency or regulatory authority; to detect and protect against fraud or any technical or security vulnerabilities; or to respond to an emergency or otherwise to protect the rights, property, safety, or security of our business, third parties, or the public
- Service providers and trading counterparties to us and our clients, including placement agents or distributors, brokers, banks, trading venues, clearing houses, custodians, corporate services providers, administrators of our funds, providers of customer or client relationship management tools, telecommunications and information technology (“IT”) providers, human resources-related service providers, advisors (including but not limited to tax and legal and compliance advisors), accountants, vendors, and consultants
- Business partners and contacts
- Any person, as directed by you
- Any person to whom we may in the future transfer any of our rights or obligations under any agreement, or in connection with a sale, merger or consolidation of our business or other transfer of our assets, whether voluntarily or by operation of law, or who is otherwise deemed to be our successor or transferee
6. Cookies and Analytics
In particular, we use Google Analytics to evaluate the use of our websites. To get more information about the Personal Information Google collects through this service, and to utilize Google’s opt-out browser add-on, as may be amended from time to time, please refer to Google’s webpages at: https://policies.google.com/privacy, https://policies.google.com/technologies/partner-sites, and https://tools.google.com/dlpage/gaoptout/.
7. International Data Transfers
We may process your Personal Information in the United States, the EEA / UK, and other countries outside the jurisdiction where it was collected that may not offer the same level of data protection as that afforded by the jurisdiction in which you are present. We will process Personal Information (or procure that it be processed) in accordance with the requirements of applicable law, which may include having appropriate contractual undertakings in legal agreements with service providers who process Personal Information on our behalf. Further information in relation to the transfer of Personal Information (including, to countries outside of the EEA / UK) is available on request using the contact details set out below.
8. Retention of Personal Information
We will generally keep Personal Information about you for as long as necessary in relation to the purpose for which it was collected, or for such longer period if required under applicable law or necessary for the purposes of our other legitimate interests.
The applicable retention period will depend on various factors, such as any legal obligation to which we or our service providers are subject, as well as on whether you decide to exercise your right to request the deletion of your Information from our systems. At a minimum, Personal Information about you will generally be retained for the entire duration of any business relationship we may have with you, and generally for a minimum period of five years after the end of the year in which any such relationship is terminated.
We will, from time to time, review the purpose for which we have collected Personal Information about you and decide whether to retain it, update it, or securely delete it, if the Personal Information is no longer required.
Our websites are not directed to persons under age 18 and we do not sell the Personal Information of such individuals.
10. Security Measures
We aim to protect Personal Information by implementing and maintaining reasonable security, such as by using reasonable organizational, technological, and physical safeguards appropriate to the sensitivity of the Personal Information we hold. We take measures, which are at least as strict as the law requires, to safeguard your Personal Information, but we cannot guarantee its absolute security. Please use caution any time you provide information over the internet.
11. Do Not Track Signals
At this time, our websites do not respond to browsers and do not track signals.
12. Rights Regarding Personal Information
A. Data Rights in Certain Jurisdictions
Persons in certain jurisdictions (e.g., the EEA / UK) have rights under data protection laws that may apply to the Personal Information we hold about those persons and which they may exercise. These include:
- To request access to your Personal Information
- To request rectification of inaccurate or incomplete Personal Information
- To request erasure of your Personal Information (a “right to be forgotten”)
- To restrict the processing of your Personal Information in certain circumstances
- To object to our use of your Personal Information, such as where we have considered such use to be necessary for our legitimate interests and/or in the case of direct marketing activities
- Where relevant, to request the portability of your Personal Information to a third party
- Where you have given consent to the processing of your Personal Information, to withdraw your consent
- To lodge a complaint with the competent supervisory authority
B. California Residents’ Rights
Please note that these rights under the CCPA do not apply to information about OrbiMed investors that is covered by the U.S. Gramm-Leach-Bliley Act and implementing regulations, and the California Financial Information Privacy Act, laws which generally apply to nonpublic personal information about individuals who obtain financial products or services from us primarily for personal, family, or household purposes. At this time, the CCPA also includes exemptions from certain of its provisions for information about our personnel (including employees, directors, officers, and contractors) and job applicants, as well as certain information processed exclusively in the business-to-business context (e.g., information about an individual acting in his or her capacity as a representative of an entity). Much of the personal information OrbiMed maintains is subject to these exemptions.
For purposes of this section of our Policy, “personal information” is limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
Right to request disclosure of personal information we collect and share about you
If you are a California resident whose personal information is covered by the CCPA, you may submit a request to us for the following information:
- The categories of personal information we have collected about you
- The categories of sources from which we collected the personal information
- The business or commercial purposes for which we collected or sold the personal information
- The categories of third parties with which we shared the personal information
- The specific pieces of personal information we collected
You can also submit a request to us for the following information:
- The categories of personal information (if any) that we have sold about you, the categories of third parties to which we sold that information, and the category or categories of personal information sold to each third party
- The categories of personal information that we disclosed about you for a business purpose
Our responses to such requests will cover the 12-month period preceding our receipt of the request.
Right to request the deletion of personal information we have collected from you
You may also submit a request that we delete personal information about you. If you make such a request, after verifying the request, we will delete the personal information, except for situations where specific information is necessary for us to: provide you with a good or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. We may also retain information where another exception to the deletion requirements in Cal. Civ. Code § 1798.105(d) applies. For instance, the law permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
Sales of personal information
We do not and will not sell your personal information to third parties. Likewise, we have not sold your personal information in the last 12 months.
How to exercise your California rights
To exercise your right to request the disclosure of your personal information that we collect or share, or to ask us to delete your information, either click here or contact us at (866) 210-8234. Depending on the nature of your request, we may ask you for information to verify your request and identity and a declaration attesting to your identity, signed under penalty of perjury. We will respond to requests for access or deletion as soon as practicable and, in any event, generally not more than within 45 days after receipt of your request. We may extend this period to 90 days in some cases. Please note that you may designate an agent to submit requests on your behalf. Requests can be submitted on behalf of yourself individually or on behalf of your household, provided that we can verify that the request comes from each member of your household.
We are committed to complying with the law. If you exercise any of the rights explained in this Policy, we will continue to treat you fairly.
13. Third-Party Links
15. How To Contact Us
1As used herein, "affiliate" means an entity that controls, is controlled by, or is under common control with another entity.
2"Personal data" is information covered by the EU General Data Protection Regulation (the “GDPR”) in circumstances where the GDPR applies.
3This term refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.
4This Policy is not intended to cover information that we collect, other than through this website, about our employees.
5Please note that we do not seek to collect information on characteristics of protected classifications from job applicants.