EU/UK GDPR Privacy Notice
Updated June 2024
This privacy notice (or “GDPR Privacy Notice”) should be read in conjunction with our Online Privacy Statement. The purpose of this document is to provide you with additional information on how Exelixis Inc. (“Exelixis”) uses your personal data that is subject to and other information required by the EU General Data Protection Regulation (2016/679) or the UK General Data Protection Regulation (together, the “GDPR”).
“Personal data,” as used in this GDPR Privacy Notice, means information that can be reasonably used to identify a living person or that reasonably relates to a living person.
“Processing,” as used in this GDPR Privacy Notice, means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller and contact details
Exelixis is a controller under the GDPR and is therefore responsible for the personal data we process about you. If you have any questions about this GDPR Privacy Notice, including any requests to exercise your legal rights in respect of your personal data, please contact us using the details set out below:
- Full name of legal entity: Exelixis Inc.
- Email address: privacy@exelixis.com
- Postal address: Legal Department, Exelixis, Inc., 1851 Harbor Bay Parkway, Alameda, California 94502
Exelixis’ Data Protection Officer (DPO) can be contacted at Boulevard Initialis, 7 box 3 – 7000 Mons (Belgium). As Exelixis is not based in the EU, we have appointed a Data Protection Representative in the EU, who can be contacted at: MyData-TRUST FranceValpark–rue Louis Duvant, 1–59220 Rouvignies, (France); and a Data Protection representative in the UK, who can be contacted at: Belmont Building, Belmont Road, Uxbridge, England, UB8 1HE (United Kingdom).
Legal basis
Please read the Online Privacy Statement for information on Exelixis’ data collection and use practices. We will only use your personal data when and how the law allows us. We process personal data for the purposes described in our Online Privacy Statement consistent with the following legal bases:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for example, to keep our records updated, to study how customers use our products/services, running our business, the provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or a group restructuring exercise).
- Where we need to comply with a legal obligation (for example, adverse event and safety reporting).
We will process your personal data on the basis of consent only where it is expressly requested. Where required by law, we will request your consent before sending direct marketing communications to you via email or text message. Where we process your personal data on the basis of consent, you have the right to withdraw consent to marketing at any time by contacting us using the contact information above.
Data subject rights
The GDPR gives you certain rights in respect of the personal data that we hold about you. Details of these rights are set out below:
- Access. You have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.
- Rectification. You may have the right to rectify inaccurate or incomplete personal data concerning you.
- Erasure. In limited circumstances, you may have the right to ask us to erase personal data concerning you.
- Restriction. You also have the right to ask us to restrict the processing of your personal data in certain circumstances, for example, if you believe that your personal data held by us are inaccurate, if processing of your personal data is unlawful, or if we no longer need your personal data for the purposes for which they were collected, but you require your personal data to establish, exercise or defend legal claims.
- Data Portability. You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.
- Right to Object. Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.
- Marketing. You have the right at any time to ask us not to process your personal data for direct marketing purposes, including profiling if it is related to such direct marketing. If you object to the processing for direct marketing purposes we will no longer process your personal data for such purposes.
- Complaint. If you are based in the UK and you have concerns about our handling of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk), which is the UK’s supervisory authority for data protection issues. If you are based in the EU, you have the right to lodge a complaint with the relevant supervisory authority, details of which are on the European Data Protection Board (EDPB) website, depending on the country in which you are based (https://edpb.europa.eu/edpb_en).
If you would like to exercise any of the rights described above, please email privacy@exelixis.com with the phrase “Data Subject Request” in the subject line. You may also call 1-833-306-0552 or complete our web form.
Please note that those rights are not absolute. Hence, your exercising of those rights needs to be assessed on a case-by-case basis before we give effect to them.
Retention
We will retain your personal data for no longer than necessary to fulfil the specified purposes for collection and use (or a reasonable time thereafter) or other compatible purposes including satisfying legal requirements, as permitted by law.
Cross-border data transfers
This website and other websites that link to this GDPR Privacy Notice or Online Privacy Statement are controlled and operated by Exelixis from the United States. Information you provide to us both on our website and through other means may be stored and processed, transferred between and accessed from the United States and other countries that may not guarantee the same level of protection of personal data as the one in which you reside. Where such transfers take place from the European Economic Area (EEA) or United Kingdom (UK), they will be in accordance with the GDPR, including through the execution of standard contractual clauses as approved by the European Commission or the UK international data transfer addendum to the standard contractual clauses, or the UK International Data Transfer Agreement issued by the Information Commissioner’s Office (“ICO”), or where we are entitled to rely on one of the other safeguards permitted by applicable law.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA or UK. To receive a copy of the Standard Contractual Clauses relevant to any such transfer of your personal data, please email privacy@exelixis.com with the phrase “Standard Contractual Clauses” in the subject line.