Privacy Notice and Cookie Policy

Last Edited on 09/17/2023

Job titles used in this document are as they currently exist; they are intended to include current titles, as well as future titles encompassing similar duties or parts of the current duties

1.0 PURPOSE:

To establish processes regarding websites for Global Alzheimer’s Platform Foundation and GAP Innovations, hereafter collectively referred to as GAP. The GAP website, subsites, and special purpose sites are strategic assets that carry influence with multiple audiences and provide global access for customers, Clinical Trial managers, employees, and trial subjects.

This SOP is designed to ensure that GAP websites are compliant with state, federal, and international jurisdiction guidance and regulation. GAP intends its websites to be:

• Accessible. The websites must meet all applicable governmental expectations on accessibility. 
• Accurate. Information presented on websites will be factually accurate and as current as possible. 
• Relevant. Content presented on the websites will be intended for specific audiences.
• Simple. Information on the websites will be concise and understandable to the intended audience. 
• Privacy protected. Personal and Protected Health Information viewable or accessible from GAP websites must be protected from unauthorized access or unauthorized disclosure.

2.0 SCOPE:

These procedures apply to all externally facing websites established by or for GAP. They apply to privacy, security, content, creation, and maintenance of websites. These procedures apply to internal websites established by or for GAP or its programs (e.g., MyGAP, etc.) to ensure privacy is protected and data is secure.

3.0 RESPONSIBILITY/ACCOUNTABILITY:

• Responsible:
  • Senior Director, Programs, Marketing, and Communications:
    • Owning and managing the GAP website(s)
    • Approving GAP website subsites and/or special purpose websites before launch
    • Selecting and hiring (or contracting) a Website Consultant, when needed
  • Privacy Manager:
    • Approving the Privacy and Cookies Notices for the GAP Website
    • Keeping the GAP Website Privacy and Cookies Notices up to date
    • Developing Privacy and Cookies Notices for all new GAP websites
  • Legal:
    • Reviewing and approving the GAP Website Privacy and Cookies Notices
    • Approving Privacy and Cookies Notices prior to being added to websites
  • Section Head:
    • Approving new websites developed by or for their section
    • Naming an Owner for each website developed for or managed by their section
  • Subject Matter Expert (SME):
    • Aligning with the Website Consultant on website appearance and functionality
  • Website Consultant:
    • Determining appropriate use for cookies on the GAP websites
    • Including the GAP Website Privacy and Cookies Notices on the GAP website
    • Removing and deleting websites when no longer needed as directed by SME, Section Head, or Senior Director, Programs, Marketing, and Communications
  • Website Owner:
    • Notifying the Website Consultant when their website(s) are no longer needed

Accountable:

• Senior Director, Programs, Marketing, and Communications:
  • Ensuring the GAP website does not routinely collect Personal (PII) or Protected Health (PHI) Information
  • Ensuring that Registration Forms, sign-ups for information, and other short term collection tools include appropriate privacy information for respondents and security measures for any data collected

• Privacy and Compliance Manager:
  • Ensuring GAP websites comply with Privacy regulations and guidance

Website Owner:

Keeping their website(s) up to date and compliant

4.0 ABBREVIATIONS and DEFINITIONS:

DMCA – Digital Millennium Copyright Act (US); establishes procedures to request or order the “takedown” of unauthorized material and/or websites

DPA 2018 – Data Protection Act – 2018 (UK), also known as the UK GDPR

GDPR – General Data Protection Regulation – 2016 (EU)

HTTPS – Hyper-Text Transfer Protocol Secure; secure version of system used to send information between the user’s web browser and a website

FADP – Revised Federal Act on Data Protection – 2020 (Switzerland)

PHI – Protected Health Information

PII – Personally Identifiable Information

SME – Subject Matter Expert

Website Consultant – contractor or consultant selected and hired to advise GAP on technical and compliance information regarding websites; may also build and maintain GAP websites

5.0 PROCEDURE:

New websites. The process for any website that GAP develops and launches follows the same basic steps:

1. A GAP staff member creates an idea for a new website and notifies their supervisor
2. If the supervisor agrees a website should be developed, they will discuss it with the Section Head
3. If the Section Head agrees that a website should be developed, they will discuss it with the Senior Director, Programs, Marketing, and Communications
4. If all agree, the Senior Director, Programs, Marketing, and Communications will arrange a meeting between the Website Consultant and a Subject Matter Expert (SME) to discuss the idea, audience, and details of the website; this may become several meetings as the Website is designed
5. The design must include all required elements – GAP logo, Cookies and Privacy Notices, etc
6. Once designed, the website will be reviewed and tested by the SME for functionality and design
7. The SME will submit the proposed website to the Section Head for approval
8. With Section Head approval, the proposed website goes to the Senior Director, Programs, Marketing, and Communications for final approval
9. If approved, the Website Consultant will launch the website into production, making it visible on the Internet and the Section Head will name a Website Owner

When changes/additions to a website or webpage need to be made, the process will begin at Step d.

When a website is no longer needed, the Website Owner, Section Head, or Senior Director, Programs, Marketing, and Communications will notify the Website Consultant to remove and delete the website.

Specific requirements and considerations for websites are:

• The GAP website
  • The GAP core website does not collect any personal or health information. It presents information about GAP, its operations, its Network sites, news relating to Alzheimer’s and Parkinson’s research, and recommendations for maintaining a healthy brain. From time-to-time, GAP may use a short-duration form on the website to collect information to register viewers for a GAP event or similar use. When used, the form must include the appropriate privacy and security information for respondents and the information collected must be protected and secured.
  • The GAP website will contain links to separate Privacy and Cookies Notices, or a combined notice for privacy and cookies.
  • Since the GAP website is viewable worldwide and GAP has operations in Europe, the contact information for the GAP Data Protection Officer (DPO) and the list of Data Protection Authorities by country (https://edpb.europa.eu/about-edpb/board/members_en) will be listed or linked on the website home page or in the Privacy Notice.
  • GAP Subsites and Other Sites
    • All GAP subsites and other sites will conform to all local, national, and international laws and regulations.
    • All GAP subsites and other sites created for special purposes are recommended to contain the GAP logo in the upper left of the home page. The logo will link to the home page of the GAP website.
    • All GAP subsites and other sites will contain a Privacy Notice and a Cookies Notice, or a combined Cookies/Privacy Notice, detailing GAP’s usages and contact information.
  • Cookie Consent Notices (see APPENDIX B)
    • All GAP websites must include a Cookies Notice. Even if GAP is not collecting or processing any personal information, cookies may be created during a user’s session on a GAP website. The GAP use, types, and durations of the cookies must be included. The Cookies Notice can be stand-alone or be combined with the Privacy Notice.
    • The Cookies Notice can be in the header, the footer, or in a pop-up on the website.
    • If the website collects cookies:
      • The user must be allowed to opt in, opt out, or customize cookies or advertising experience, if applicable. If using a checkbox to opt in, it cannot be pre-checked.
      • The Cookies Notice must disclose that it stores cookies and why
      • The Cookies Notice must disclose what users are agreeing to or accepting
    • If the website does not store cookies, the Cookies Notice can simply define cookies and state that the website does not use them.
  • Privacy Notices (see APPENDIX A)
    • Most countries require sites collecting personal or health information to have their Privacy Notice accessible by users, so best practice is to include it on all sites.
    • A Privacy Notice explains how the site gathers and handles users’ data; it states if data is kept private or shared with/sold to third parties, identities of recipients, how data is stored, how users receive privacy updates, last update date, and measures used to protect data. It may be stand-alone or be combined with the Cookies Notice.
    • A link to the Privacy Notice can be in the footer (recommended), under “About” or “Legal” in the Main Menu, or on a checkout or account registration page.
    • Privacy Notice (for the GAP Website) is at APPENDIX A.
  • Plagiarism and Copyright
    • Original website content is copyrighted; a copyright notice will be placed on the home page.
    • Plagiarism is the unauthorized or unattributed use of someone else’s content.
    • Ensure GAP website content is original or indicates the owner’s permission to use it.
    • Putting content on a website that infringes on an owner’s rights could result in a DMCA Takedown Request which would remove it from search results and possibly a lawsuit.
  • HTTPS
    • If a GAP website is used in ecommerce, it must be employed with HTTPS (Hyper-Text Transfer Protocol Secure) to protect personal and financial information.
    • If not used for ecommerce, GAP websites should be employed with HTTPS to provide enhanced security and because many users set their browsers to only access HTTPS sites.
  • Terms & Conditions
    • A “Terms & Conditions” page is not required, but if used, sets out rules for using the site.
    • It may contain:
      • A copyright and/or trademark notice; if there is not a “Terms & Conditions” page, the site should include a copyright or trademark notice on the Home page
      • The Privacy Notice which may be linked to or included on the page
      • A disclaimer stating that the site owner is not responsible for providing content that is accurate, complete, or suitable for any purpose
      • A notice of which law and/or in what jurisdiction governing disputes will be followed
    • GAP websites should not allow third party posting. If a website does allow third-party posting, the Terms & Conditions page must include a clause disclaiming responsibility for third party comments, that the site owner is not responsible for offensive statements made by third parties, and that the site owner does not endorse third party statements.
  •  Disclaimers
    • Instead of (or along with) Terms & Conditions disclaimers, separate negations can be used.
    • These disclaimers can:
      • Disclaim liability the site owner may experience by use of their site
      • Disclaim expertise or responsibility for actions users take based on the site’s content
      • Provide that original content cannot be used without permission
      • Provide that the site owner’s opinions are solely their own
      • Provide that the site content is informational only and not professional advice
      • Disclaim liability for third party or advertiser content
  • GDPR (including DPA-2018 and FADP)
    • Websites visible in Europe or drawing traffic from European citizens must comply with the GDPR (EU), DPA-2018 (UK), and FADP (Switzerland).
    • If collecting and/or processing personal or health information:
      • Sites must protect data from misuse and exploitation
      • Sites must provide for users to give and retract consent to collection and use of data
      • Site owners must notify users of a data breach within 72 hours of breach discovery
      • Site owners must provide a way to access data being collected, stored, and processed
      • Data collection and processing must be limited to that necessary for the purpose
      • Access to the data must be limited to only those employees needing the information to complete the process consented to by the user
    • The site owner must appoint a Data Protection Officer (DPO) to oversee compliance.
    • Contact information of the DPO and Data Protection Authorities must be clearly visible on the website (home page or in the Privacy Notice).
  • CalOPPA
    • Websites based in California or visible to Californians must comply with CalOPPA.
    • CalOPPa requires websites to have a privacy statement/notice; it must be clearly visible and easily accessible for website users, and the title/link must contain the word “privacy.”
    • Consent and agreement to the terms of using the site should be obtained by the clickwrap method – requiring a positive action from the user and not allowing a pre-checked box.
    • Website owners must protect PII, including first/last name, physical address, email address, telephone number, Social Security Number, any other contact information, birthday, details of physical appearance, and any other information that may identify an individual.
    • In addition to Privacy Notice requirements (paragraph 5.4), websites must tell users how to request “Do Not Track”, but CalOPPa does not require respecting that setting.
  • Americans with Disability Act (ADA)
    • The ADA applies to businesses with 15+ employees and open for 20+ weeks a year.
    • The ADA does not address websites, and courts have not consistently forced compliance; however, Title II, ADA requires government website accessibility for users with disabilities. Prudence and courtesy recommend voluntary compliance with ADA standards.
    • Website accommodations include:
      • Larger fonts, or compatible with larger fonts; compatibility with Web reading tools
      • Clear contrast between fonts and backgrounds
      • Written descriptions of images, not just short captions
      • Transcripts for any videos on the site
  • Anti-Spam
    • If sending emails to website visitors or subscribers, anti-spam laws must be followed.
    • Anti-Spam laws are more diverse than privacy laws; see specific requirements for the jurisdictions where the sender and recipient(s) are located; examples:
      • The US Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) requires recipients be able to opt out of non-profit and for-profit emails but allows convoluted unsubscribing; state laws may also apply
      • Canada’s Anti-Spam Legislation (CASL) requires opt-in for receiving emails and allows easy unsubscribing
      • The GDPR for the EU requires an opt-in to receive marketing emails and there is no implied consent for current customers (must get clear opt-in again for them). Additional requirements are set forth in the ePrivacy Directive

6.0 REFERENCE(S):

Americans with Disabilities Act – 1990 (ADA) (US)

California Online Privacy Protection Act – 2003 (CalOPPA)

Canada’s Anti-Spam Legislation – 2010 (CASL)

Controlling the Assault of Non-Solicited Pornography and Marketing Act – 2003 (CAN-SPAM) (US)

Data Protection Act – 2018 (DPA-2018) (UK); also known as GDPR-UK

Digital Millenium Copyright Act – 1998 (US)

ePrivacy Directive (2002/58/EC) (EU)

General Data Protection Regulation – 2016 (GDPR) (EU)

Revised Federal Act on Data Protection – 2020 (FADP) (Switzerland)

7.0 APPENDICES:

APPENDIX A – GAP Website Privacy Notice

APPENDIX B – GAP Website Cookies Notice

8.0 HISTORY of CHANGES:

DATE	REVISION NUMBER	REASON FOR REVISION

APPENDIX A

GAP WEBSITE PRIVACY NOTICE

Last Edited on 8/31/2023

This Privacy Notice applies to the processing of data related to the use of the website https://globalalzplatform.org (hereinafter “the Website”).

Global Alzheimer’s Platform Foundation as the Controller, hereinafter as “GAP, “we” or “us”, of the personal data, has committed to comply with:

• The General Data Protection Regulation N°EU 2016/679 (hereinafter, the “GDPR”);
• The General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (hereinafter the “UK GDPR”) and the UK Data Protection Act 2018 (amended 2020) (hereinafter the “Data Protection Act”);
• The revised Federal Act on Data Protection 2020 (“FADP”) in Switzerland;
• And all EU and US applicable laws and regulations regarding data protection.

Collectively referred to as “Data Protection Laws”.

With this Privacy Notice, GAP wants to make sure that you understand what personal information is collected about you, how your personal information is used, and how it is kept safe.

General warning and use of social media

Access to the Website implies the User’s full and unreserved acceptance of this Privacy Notice (hereinafter the “Notice”), as well as its general terms of use and the Cookies Notice, see APPENDIX B. The User acknowledges having read the information below.

The Notice is valid for all pages hosted on the Website. It is not valid for the pages hosted by third parties to which GAP may refer and whose privacy notices may differ. GAP cannot therefore be held responsible for any data processed on these websites or by them. This Notice also applies to any other website that GAP may operate, including our Company pages on X (Twitter), Facebook, LinkedIn and YouTube.

Please, note that for the use of social media, GAP will be Joint-Controller with X (Twitter), Facebook, LinkedIn and YouTube only for the following activities: accessing and processing statistical aggregate data provided by X (Twitter), Facebook, LinkedIn and YouTube. For any other processing on the platform, social media platform shall be considered as the sole Data Controller.

Facebook, including Instagram, and LinkedIn have created an “addendum” to their user agreements for company pages for the processing for which they are Joint-Controllers with us. Such agreement is not currently provided by X (Twitter) YouTube, Flickr or Vimeo.

1. Why, how and for how long do we collect your personal data?

Depending on the purpose for which we process your personal data, we need to process one or more personal data items. We will keep them for no longer than necessary to fulfill the purposes for which we collected them, including any legal requirements.

Depending on each case, the processing will therefore be as follows:

Purposes	Types of personal data	Legal basis	Retention period
To answer your queries,	Name, email address   Please note that other Personal Data may be processed by GAP depending on your request and the information you provide us.	This processing is based on our legitimate interest in answering the requests or queries raised by you through the existing different contact channels.   We understand that the processing of these data is also beneficial to you to the extent that it enables us to assist you adequately and answer the queries raised.	We will process your data for the time necessary to meet your request.
To sign-up/enroll in a GAP event.	Name, email address   Please note that other Personal Data may be processed by GAP depending on the type of event organized.	We will process your Personal Information upon request of your Consent, to send you customized information about our services, events, or surveys.	We will process your data for the time necessary to fulfil the purposes we collected it for.
For statistical purposes	Aggregate statistical data (e.g., Company page on X (Twitter), Facebook, LinkedIn and YouTube).	We consider that we have lawful interest to understand the way our page is consulted (e.g., how many times our page is consulted, from which country…).	Statistical information is stored by X (Twitter), Facebook, LinkedIn and YouTube and consequently subject to their retention policy. We may export statistical reports, but we guarantee that this is only in an anonymous form.
Use of cookies for the functioning and managing of our website	Cookies may store in certain circumstances personal data which may include: IP addresses, browser type, location, operating system,…	Please, see our Cookies Notice, APPENDIX B (below) for more information.	Please, see our Cookies Notice, APPENDIX B (below).

2. Data sharing

We do not sell or trade your personal data to outside parties.

Nevertheless, GAP has contracted with the following Services Providers to manage the Website that may have access to your personal data:

• McCally & Co. for web hosting and website consulting.

Sharing your personal data as explained above may involve a transfer of personal data to a country outside the European Economic Area (EEA), the UK, and/or Switzerland. GAP is therefore committed to complying with the transfer rules under applicable Data Protection Laws and therefore ensure to:

• Transfer your data to countries where the data recipient is located that has been recognized as adequate by the European Commission, the UK Secretary of State; and/or the Swiss Federal Data Protection and Information Commissioner (FDPIC); or
• Where a country has not received an adequacy decision from the European Commission, the UK Secretary of State, and/or the FDPIC  to implement appropriate safeguards, such as the EU Standard Contractual Clauses (“SCCs”) (and the UK addendum), and/or the International Data Transfer Agreement (“IDTA”).

You can contact our Data Protection Officer, hereinafter as DPO, (see contact details below), if you want to have more details about the mechanism supporting data transfer.

Under Swiss provisions: List of the third countries and related appropriate safeguards in case of data transfers from Switzerland

Third countries	Appropriate Safeguards
United States of America	Encrypted transfers, Standard Contractual Clauses (SCCs with the UK Addendum); pending Switzerland-US Adequacy Decision provisions (when enacted)
EU countries	EU Adequacy Decision provisions – Directive (EU) 2016/680
UK	Implementing decision in accordance with Directive (EU) 2016/680

3. How do we protect your information?

GAP treats your personal data in a confidential manner and provides for a sufficient and adequate level of protection of your personal data. Your data is classified at the time of collection to ensure the appropriate safeguards are in place for each category of personal and sensitive personal data.

Your personal data are contained behind secured networks and are only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. Your data is kept only as long as is necessary to complete the purpose for which it was collected. All data is protected against accidental loss, destruction, and damage using technical and organizational measures.

4. Your rights

According to the GDPR, the UK GDPR, and/or FADP, you have the following rights:

• Access. You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, information related to the processing of data and a copy of the data being processed.
• Rectification. You have the right to require rectification of inaccurate data about you.
• Right to be forgotten. To obtain the deletion of your personal data in the situations set forth by applicable data protection law.
• Restrict processing. You have the right to restrict processing of data under certain specified circumstances.
• Data portability. You have the right to request for the receipt or the transfer to another organization, in a machine-readable form, of your personal data.
• Object to processing. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data.
• Right to withdraw consent. When you have given your explicit consent for the processing of your data (e.g., Subscription to the Newsletter), you can withdraw it at any time without justification.

Please note that all these rights are not absolute and will be assessed on a case-by-case basis by our DPO. 

If you would like to exercise your rights, please let us know by contacting our DPO, GAPFoundation.dpo@mydata-trust.info.

You have also the right to lodge a complaint if you consider that your personal data is not processed in accordance with the GDPR, the UK GDPR, and/or the FADP.

If you are an EEA resident: You have the right to lodge a complaint with the Supervisory Authority in the Member State of the European Union of your habitual residence, place of work or place of the alleged infringement.

If you are a UK resident: you may file a complaint with the Information Commissioner’s Office (“ICO”), the Supervisory Authority of UK, following the instruction available in the service channels.

If you are a Swiss resident: you may lodge a civil claim in case of personality rights’ infringements regarding the exercise of your rights of access, rectification and object but also regarding infringements related to data privacy principles. The competent Supervisory Authority in Switzerland is the FDPIC.

Please find the contact information of all Authorities in section 7 “Contacts”.

• Changes to this Privacy Notice

This Notice is effective as of the date stated at the top of this page. We may change this Notice from time to time. Please refer to this Notice on a regular basis.

• Contacts

Global Alzheimer’s Platform, acting as Controller

4315 50^th St. NW Ste 100, Unit 2623

Washington, DC 20016, United States

info@globalalzplatform.org

Data Protection Representative

Valpark, Rue Louis Duvant, 1, 59220 Rouvignies (FRANCE)

GAPFoundation.dpr.EU@mydata-trust.info

Data Protection Officer

GAPFoundation.dpo@mydata-trust.info

Commission Nationale de l’Informatique et des Libertés – CNIL

3 Place de Fontenoy

TSA 80715 – 75334 Paris, Cedex 07

Tel: +33 (0)1 53 73 22 22

Fax: +33 (0)1 53 73 22 00

Website: http://www.cnil.fr/ https://www.cnil.fr/en/contact-cnil

For other EU Data Protection Authorities

https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK Supervisory Authority (“ICO”)

Tel: +55 (0)3 03 12 31 11 3

Website: https://ico.org.uk/global/privacy-notice/your-right-to-complain/

For Swiss Federal Data Protection and Information Commissioner (“FDPIC”)

Feldeggweg 1

CH – 3003 Berne

Tel: +41 (0)58 462 43 95 (mon.-fri., 10-12 am)

Fax: +41 (0)58 465 99 96

Website: https://www.edoeb.admin.ch/edoeb/en/home.html

APPENDIX B

GAP WEBSITE COOKIES NOTICE

What are cookies?

Cookies are simple text files that are stored on your computer or mobile device by a website’s server. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier, website’s domain name, and some digits and numbers.

What types of cookies do we use?

Necessary cookies

Necessary cookies allow us to offer you the best possible experience when accessing and navigating through our website and using its features. For example, these cookies help you navigate from one page to another, especially if you want to view a previous page.

Analytical cookies

These cookies enable us and third-party services to collect aggregated data for statistical purposes on how our visitors use the website. These cookies do not contain personal information such as names and email addresses and are used to help us improve your user experience of the website.

Specific analytical cookies stored when accessing the GAP website are IP address, length of time spent on the site and individual pages, and downloads requested. The IP address is only used to determine a general geographic location of the user, is not tied to a specific individual, and not stored after the general location is determined. GAP does not do any advertising or targeting based on that information. GAP only uses this data to assess user experience, content validation, and reach. 

How to delete cookies?

If you want to restrict or block the cookies that are set by our website, you can do so through your browser setting. To assist you in blocking or restricting cookies, you can visit www.internetcookies.com, which contains comprehensive information on how to do this for a wide variety of browsers and devices. You will find general information about cookies and details on how to delete cookies from your device.