Coegin Pharma AB ("Coegin" or "we") is committed to protecting personal data and ensuring GDPR compliance. This Privacy Policy explains how we collect, use, retain, and secure personal data in accordance with applicable laws, including the General Data Protection Regulation (EU 2016/679 - "GDPR").
Coegin Pharma AB, Reg. No. 559078-0465
c/o Medicon Village, 223 81 Lund, Sweden
Email: [email protected]
We collect different types of personal data depending on the interaction with Coegin:
- Website visitors: Name, email, IP address, cookie data.
- Business contacts & suppliers: Name, contact details, invoice information.
- Shareholders: Name, address, shareholding details (per legal obligations and legitimate interest).
- Job applicants: CVs, cover letters, contact details.
- Participants in clinical studies: Study-related data, health information (where applicable).
- Individuals contacting us directly (via email or social media): Name, contact details, and any additional information provided in inquiries.
- Social media followers and interactions: If you follow Coegin’s social media channels, like, comment, or send messages, we may process your name, username, profile picture, and any content you provide.
- Prospective investors: Name, contact details, company affiliation, investment preferences, and discussions related to potential investments.
- Employees and consultants (for travel purposes): Personal ID number, passport copies, visa information, travel itinerary, and related booking details.
- Debt-based financing providers (prospective & actual): Name, contact details, company affiliation, financial due diligence information, contractual details, and related communications
- Market insights: Name, contact details, nationality, professional role.
We process personal data based on:
- Performance of a contract: Processing necessary for employment, supplier agreements, or service contracts.
- Legal obligation: Compliance with financial, tax, and shareholder regulations.
- Legitimate interest:
-> Maintaining relationships with partners, customers, and suppliers.
-> Responding to inquiries received via email or social media in a professional manner.
-> Engaging with followers and comments on Coegin’s social media platforms to maintain our online presence and communication.
-> Managing shareholder relationships, ensuring corporate governance, and facilitating shareholder communications.
-> Engaging with prospective investors to provide company information and explore investment opportunities.
-> Facilitating necessary business travel for employees and consultants.
-> Engaging with prospective and actual debt-based financing providers to assess financial opportunities and maintain financial relationships.
-> Gain understanding of relevant markets for Coegins pipeline projects and products.
- Consent: I.e. for marketing communications and clinical study participation (can be withdrawn at any time).
Coegin retains personal data only for as long as necessary to fulfill the purpose of processing, in compliance with applicable legal requirements and legitimate business interests. Retention periods are as follows:
- Financial & tax records: Salary and tax information is retained for at least 7 years in accordance with the Swedish Bookkeeping Act and tax regulations.
- Employment records: Employment contracts and work-related information are retained for up to 10 years after termination of employment, in compliance with statutory limitation periods and labor law requirements.
- Shareholder data: Retained for as long as required by Swedish company law and as long as we have a legitimate interest in maintaining shareholder records for corporate governance, shareholder communications, and business continuity.
- Clinical study records: 25 years (per regulatory guidelines).
- Job applications: Up to 2 years, to comply with potential employment discrimination claims under Swedish law. Applicants are informed of this retention period, and data is securely deleted thereafter unless further retention is justified.
- Customer, supplier, and business partner data: Retained for the duration of the business relationship and for a reasonable period thereafter based on legitimate interest (e.g., legal claims, financial audits, or regulatory requirements).
- Inquiries and social media interactions: Retained as long as necessary to respond to requests, after which they are deleted unless further retention is justified (e.g., ongoing discussions, contractual obligations, or legal claims).
- Prospective investor data: Retained for the duration of investment discussions and for a reasonable period thereafter (e.g., 2-3 years) based on legitimate interest to maintain investment relations and comply with legal obligations. If no investment occurs, data will be securely deleted or anonymized unless further retention is justified (e.g., regulatory requirements or ongoing discussions).
- Debt-based financing provider data: Retained for the duration of financial agreements and for a reasonable period thereafter (e.g., 7 years) to comply with legal, regulatory, and auditing requirements. For prospective lenders, data is retained for up to 2 years unless further engagement is initiated.
- Travel-related data (passport, personal ID, visas, etc.): Retained only for as long as necessary to complete travel bookings and comply with legal requirements. Typically deleted immediately after travel is completed, unless required for accounting, tax, or compliance purposes (e.g., visa audits, expense reports).
- Market insights: Data is retained for up to 2 years unless further engagement is initiated.
When retention periods expire, or data is no longer necessary, we ensure secure deletion or anonymization in accordance with best practices.
Coegin may transfer personal data outside the EU/EEA when using global service providers, such as Microsoft, for cloud storage, email, and IT infrastructure. These transfers occur only when one of the following safeguards applies:
- The recipient country has an EU adequacy decision ensuring an equivalent level of data protection.
- We have entered into Standard Contractual Clauses (SCCs) with the provider to ensure compliance with GDPR requirements.
- The provider implements additional security measures (e.g., encryption, access restrictions) to protect personal data.
- The transfer is necessary for the performance of a contract or other lawful basis under GDPR.
Coegin primarily uses Microsoft cloud services, which may involve data storage in EU-based or third-country data centers. Microsoft is contractually obligated to adhere to GDPR standards, including SCCs and supplementary measures to safeguard personal data.
Individuals whose data is processed by Coegin have the following rights under GDPR:
- Right to access: Request a copy of your personal data that Coegin holds.
- Right to rectification: Correct inaccurate or incomplete personal data.
- Right to erasure (‘Right to be forgotten’): Request deletion of your personal data, unless legal obligations require retention. For example:
-> Job applicants can request deletion before the 2-year retention period expires.
-> Prospective investors and financing providers can request deletion unless Coegin has an ongoing legitimate interest (e.g., financial due diligence, compliance obligations).
-> Employees and consultants may request deletion of travel-related data after travel is completed.
- Right to restriction of processing: Limit how your data is processed in specific situations.
- Right to object: Object to processing based on legitimate interest, including direct marketing.
- Right to data portability: Request that your data be provided in a structured, machine-readable format.
- Right to withdraw consent: If processing is based on consent (e.g., marketing communications), you can withdraw consent at any time.
How to Exercise These Rights:
Requests should be submitted via email to [email protected]. Coegin will respond within 30 days, as required by GDPR. In cases where data cannot be deleted immediately due to legal requirements (e.g., financial records, regulatory obligations), we will inform you of the reasons for continued retention.
Coegin may use cookies to improve website functionality and analytics. For more details, please refer to our Cookie Policy.
Some pages on Coegins websites links to third-party websites. These websites have their own privacy policies, and Coegin is not responsible for their operations, including but not limited to their information practices. Users who submit information to or through these third-party websites should review the privacy policies of those websites before providing any personal data.
Where Coegins websites are handled by a third-party provider acting as an independent data controller, links to the third party’s privacy and cookie policies are provided for. Coegin is not responsible for their operations, including but not limited to their information practices. Users who submit information to or through these third-party managed websites should review the privacy policies of those websites before providing any personal data.
In the event of a security breach involving personal data, we will:
- Assess the impact and take corrective action.
- Notify the Swedish Data Protection Authority (IMY) within 72 hours if required.
- Inform affected individuals if there is a high risk to their privacy.
This policy may be updated periodically. Any significant changes will be posted on our website and communicated as required.
If you have questions or wish to exercise your rights under GDPR, please contact:
Coegin Pharma AB
Att: Data Protection Officer (DPO)
c/o Medicon Village, 223 81 Lund, Sweden
Email: [email protected]