Legend Biotech Compliance and Ethics Hotline: Privacy Notice
This notice provides information regarding personal data that may be submitted in or collected as a result of a report made through the Legend Biotech Compliance and Ethics Hotline (the “Hotline”). In this notice, “personal data” means any information related to an identified or identifiable individual and does not include anonymous or de-identified data.
Please read this notice carefully prior to submitting a report. If you do not agree with any part of this notice, please do not submit any personal data through the Hotline.
1. General
The Hotline is a web and phone-based intake system provided by Legend Biotech USA Inc. and its affiliates (together, “Legend Biotech”, “us”, “our”, “we”) to our employees, former employees, customers, contractors, vendors, suppliers as well as patients, healthcare providers, organizations and others (“Reporters”, “you”) for reporting suspected or actual violations of laws or regulations, the Legend Biotech Code of Conduct or Standards of Conduct Policy. The Hotline is operated by NAVEX Inc. and its affiliates (together, “NAVEX”). Legend Biotech USA Inc. is the data controller for the purposes of the EU’s General Data Protection Regulation, and Legend Biotech Ireland Limited is our EU representative.
2. Use of the Hotline
Use of the Hotline is voluntary. You are encouraged, but not required, to first report suspected or actual violations directly to your supervisor or manager, or to a representative of the Human Resources, Compliance, or Legal Departments.
For more information click here.
The Hotline is an online reporting system that allows you to voluntarily report to Legend Biotech any suspected or actual violations of laws, regulations, or the Legend Biotech Code of Conduct or Standards of Conduct Policy. We take these reports seriously and will use the information you submit to investigate and take corrective action as appropriate.
We encourage you to identify yourself when you make a report, so that we may contact you regarding any follow-up questions, which may be helpful to our investigation, and if appropriate, to provide you with the results of our investigation, among other reasons. Where possible, we aim to protect the identity of anyone who makes a report that they believe to be true at the time, even if an investigation later determines the information reported to be inaccurate. Retaliation against such individuals will not be tolerated by Legend Biotech. However, knowingly submitting false or misleading information may result in disciplinary or other action as appropriate.
Please note that in some countries where we operate, we may not be permitted by applicable law to investigate anonymous reports, meaning that anonymous reports to the Hotline from or about activity in such countries will be deleted with no investigation or further follow-up. Applicable law may also limit the types of reports that can be accepted through the Hotline. In these cases, please contact your supervisor or local management or a representative of the Human Resources, Compliance, or Legal Departments to make or follow-up on such a report.
3. What personal data and information is collected and processed?
We collect and process personal data about you and any individuals you name in or that are otherwise identified as a result of your report. Our investigation of any Hotline report may result in the collection and processing of additional personal data related to that report, including from supporting documentation and interviews, and may include personal data about you, the subject of the report, and other individuals, such as witnesses and impacted third parties.
Please consider reporting directly to your supervisor or local management or a representative of the Human Resources, Compliance, or Legal Departments any specific details regarding sensitive information (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, criminal convictions and offences or related security measures).
For more information click here.
You may provide the following types of personal data when you make a report to the Hotline: (i) your name and contact details (phone number and email address) and your relationship to Legend Biotech; (ii) the name and other personal data of the persons you name in your report if you provide such information (i.e. description of functions and contact details); (iii) a description of the alleged misconduct; and (iv) a description of the circumstances of the incident, including where it took place. Legend Biotech may collect additional personal data related to the report in its investigation, including supporting documentation, information gathered during verification of the reported facts, and any other relevant information used to investigate and complete the report, including from or about the subject of the report and other individuals, such as witnesses and impacted third parties.
The Hotline is not designed or intended to collect and process information that may be considered “sensitive” under applicable law, for example, specific information regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, criminal convictions and offences or related security measures. To make a report that involves sensitive information, please contact your supervisor or local management or a representative of the Human Resources, Compliance, or Legal Departments.
4. How will the personal data and information be processed after you submit your report?
By ticking the box below, you consent to Legend Biotech using your data as set out in Sections 3 and 4 of this notice.
Where an identified or identifiable individual is the reporter, the subject of a report, related to a report, such as witnesses or impacted third parties, we will process such individuals’ personal data on the basis of our legitimate interests and/or business purposes, including for the purpose of managing the Hotline and any reports submitted via the Hotline, in order to protect Legend Biotech’s business and ensure to compliance.
Except where retention of such personal data or other information is required by applicable law or court order, or where Legend Biotech determines it necessary to defend or pursue potential legal claims or disciplinary action, Legend Biotech will only keep personal data collected via the Hotline for so long as reasonably necessary to investigate a report and will promptly delete any reported information that is determined to be unfounded or outside the Hotline scope.
5. Who may access personal data and information?
Personal data and other information contained in or relating to a Hotline report may be accessed on a need-to-know basis by individuals working in and for Legend Biotech. In some circumstances, individuals working for police, regulators, public authorities or others may access such personal data and information.
Except for reports made from or about China, the personal data and information you provide to the Hotline will be stored in a database on servers hosted and operated in the United States by our vendor, NAVEX. Reports may also be accessed by NAVEX from Columbia. Legend Biotech may access your data from various countries in which it operates, including from within the European Economic Area, the United Kingdom or China. Reports made from or about China will be stored in a database located on servers hosted and operated in China.
For more information click here.
NAVEX has entered into contractual commitments with Legend Biotech to secure the information you provide in accordance with applicable law. Transfers to NAVEX are governed by NAVEX’s Privacy Shield certification. For the purpose of processing and investigating your report and subject to the provisions of local law, the personal data and information you provide may be accessed, processed and used by Legend Biotech personnel on a need-to-know basis, including but not limited to Human Resources, Finance, Internal Audit, Legal, Compliance, management, external advisors (e.g., legal advisors), and any vendor retained for the purpose of providing Hotline services to Legend Biotech. Except for reports made from or about China, Legend Biotech has retained NAVEX for this purpose, and NAVEX personnel supporting the Hotline may be located in the United States, Columbia, the United Kingdom or elsewhere. Personal data and information you provide may also be disclosed to the police, other enforcement or regulatory authorities, or to a court or other tribunal of appropriate jurisdiction as may be required by law or regulation, subject to a lawful order, or as otherwise necessary to support claims or defenses of Legend Biotech.
6. Informing named individuals
In most cases, Legend Biotech will promptly notify any person named in a report to the Hotline. Notice may be delayed, for example, to ensure the integrity of the investigation, avoid the compromise of witnesses, preserve relevant information, or at the request of governmental authorities.
7. Your rights in relation to the personal data collected and processed
In certain circumstances and depending on where you are located, you may have certain rights in relation to your personal data. These include the rights of access, erasure/deletion, and correction. The right to opt out of the sale of personal data/information does not apply because Legend Biotech does not sell and will not sell any personal data collected because of a Hotline report.
If you wish to exercise your rights in relation to your personal data or lodge a complaint about how we process your personal data, please contact us at compliance@legendbiotech.com. EU data subjects may also lodge a claim with the Irish Data Protection Commission, the UK’s Information Commissioner’s Office or the data protection supervisory authority in the country in which you live or work, where you believe we have infringed applicable data protection laws.
For more information click here.
If you are located in the European Economic Area and the United Kingdom, you have the following rights in relation to the personal data we hold about you, subject to certain exceptions:
- Access. You have the right to access the personal data we hold about you, and to receive an explanation of how we use it and who we share it with. We will not be able to give you certain personal data where providing it would interfere with another individual’s rights, or where another exemption applies.
- Erasure. You have the right to request your personal data to be erased, including where we hold the data about you on the basis of our legitimate interest and you object to our processing (subject to exceptions).
- Object to processing. You have the right to object to our processing of your personal data where we are relying on a legitimate interest to process your personal data. We will retain your data where we have an overriding legitimate interest to do so, or if there are other valid grounds under law for us to do so (e.g. the defence of legal claims).
- Rectification, restriction, and data portability. You may also have the right to ask for your personal data to be corrected, its use to be restricted to storage purposes, or to be transferred to you in a structured, commonly used and machine-readable format.
- Consent withdrawal. If you provided your consent to the processing of your personal data, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the processing based on consent before its withdrawal.
If you are a Consumer as defined in the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (CCPA), you have the right to:
- Know how your personal information is used;
- Access, request and receive the personal information we have collected in a portable manner;
- Opt-out of having your data shared; and
- And request that we delete your personal data.
To make requests about your privacy rights related to the Hotline, please email compliance@legendbiotech.com.
8. Changes to this Policy
We will notify you of any material changes to this notice.
9. Contact
If you have any questions or comments about this notice, our privacy practices, or if you would like to exercise your rights with respect to your personal data, please contact us by email at compliance@legendbiotech.com.
Please write to us at: Compliance Department, Legend Biotech, 2101 Cottontail Lane Somerset, NJ 08873, USA