Corporate Responsibility

Policy on Data Privacy

Scope

This policy outlines the data privacy standards to which Onyx adheres in order to comply with EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework
This Policy applies to all employee and contract employee-related personal Information, either in electronic or paper format, received by Onyx in the United States from the European Economic Area (“EEA”) and Switzerland. An “export” of personal data includes accessing EU-based databases and servers from the US, receipt of emails from Europe, and so on.

Policy Statement

Onyx Pharmaceuticals, Inc. and its affiliates and subsidiaries (here referred to as “Onyx”) is committed to protecting employee privacy, and values the confidence of its employees. Onyx has put in place internal procedures to ensure that Personal Information is processed responsibly and in accordance with applicable data protection/privacy laws. This privacy policy (“the Policy”) sets out the privacy principles that Onyx follows with respect to Personal Information moving from the European Economic Area (“EEA”) and Switzerland to the United States.

Safe Harbor Overview

Onyx complies with the US – EU Safe Harbor Framework and the US – Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Information from EU/EEA member countries and Switzerland. Onyx has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access and enforcement.

Definitions

For the purposes of this Policy the following definitions shall apply:

“Agent” means any third party processing Personal Information on behalf of, and under the instructions of Onyx.
 
“Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Usually this will be Onyx.

“Data Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of Onyx (or another Data Controller).

“Onyx” means Onyx Pharmaceuticals, Inc., their successors, subsidiaries, divisions and groups in the United States.

“Personal information” means any information or set of information that identifies or could be used by or on behalf of Onyx to identify an individual employee, or any other person engaged by Onyx to provide services. It does not include Personal Information that is encoded or made anonymous.

“Sensitive Personal Information” means information that (a) reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or (b) that concerns health or sex life, information about social security benefits, or information on criminal or administrative proceedings other than in the context of pending proceedings.

Privacy Principles


The privacy principles in this Policy are based on the Safe Harbor Principles.

1. PURPOSE: When Onyx collects Personal Information directly from employees in the EEA and Switzerland, it will inform them about the purposes for which it collects and uses Personal Information; the types of non-agent third parties (either Data Processors or Data Controllers) to which Onyx discloses that information; and the choices and means, if any, Onyx offers employees for limiting such use and disclosure of their Personal Information. Onyx will only collect information necessary for it to meet lawful and reasonable business purposes

Notice of the purpose will be provided in clear and conspicuous language when employees are first asked to provide Personal Information to Onyx, or as soon as practicable thereafter, and in any event before Onyx uses the information for a purpose other than that for which it was originally collected. If Onyx subsequently needs to use Personal Information for a purpose other than that for which it was originally collected, it will notify employees accordingly (unless it is inappropriate or impractical to do so) and afford them an opportunity to object in accordance with this policy.

Purposes for which Onyx may collect and use Personal Information from its employees and job applicants include but are not limited to:

  • Carrying out human resources functions such as training, implementing career and succession planning, administering employee contracts, evaluating employees, implementing employment-related actions and obligations and providing employment benefits and related information.
  • Enabling Onyx and its employees to contact one another using an employee’s work telephone and fax numbers, e-mail address or mailing address.
  • Administering compensation, bonus and benefits plans and other employment matters.
  • Arranging, booking and implementing employees’ travel plans and arrangements for business related purposes.
  • Enabling Onyx to maintain building security and employee security, health and safety.
  • Transferring Personal Information in connection with Onyx’s legal, regulatory, compliance and auditing purposes.
  • Facilitating Onyx’s internal administrative and analytics purposes, such as project staffing, headcount and statistics initiatives.
  • Facilitating Onyx’s internal administrative and analytics purposes, maintaining and administering Onyx’s web sites and complying with Onyx’s legal obligations, policies and procedures.

Where Onyx receives Personal Information from any subsidiary, affiliate or other Data Controller it may have from time to time in the EEA or Switzerland, it will use and disclose such Personal Information in accordance with the notices provided by such Data Controller.
Onyx may also disclose Personal Information to its agents in the United States and other third parties when required to do so under law or by legal process.

2. CHOICE: Onyx may offer employees the opportunity to choose (opt-out) whether their Personal Information is a) to be disclosed to a non-Onyx Data Controller, or b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee. However, there are a number of uses and or disclosures where such choice is NOT provided. These purposes are:

  • Where processing is necessary for the performance of a contract to which the employee is party or in order to take steps at the request of the employee prior to entering into a contract; or
  • Where processing is necessary for compliance with a legal obligation that Onyx (or other Data Controller) is subject to.

It should be noted that most of the purposes articulated above in Section 1 are activities that are necessary for performance of the legal obligations Onyx is under as an employer, or as a Data Controller of non-employee Personal Information.
For sensitive Personal Information, Onyx will give employees the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of information to a non-Onyx Data Controller or to the use of Personal Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee. Onyx will provide employees with reasonable means to exercise their choices. However, there are a number of [uses and or disclosures where such choice is NOT provided. These purposes are:

  • Where processing is necessary for the purposes of carrying out the obligations and specific rights of Onyx in the field of employment law; or
  • Where processing is necessary to protect the vital interests of the employee, or of another person, where the employee is physically or legally incapable of giving his consent; or
  • Where processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the employee; or
  • Where the processing relates to Personal Information that is made public by the employee, or is necessary for the establishment, exercise, or defense of legal claims.

Onyx will provide employees with clear and conspicuous, readily available and affordable mechanisms to exercise these choices.

3. AGENT OBLIGATIONS: Onyx will obtain assurances from its Data Controller and Data Processor agents that they will safeguard Personal Information in accordance with this Policy. Examples of appropriate assurances that may be provided by agents include:

  1. a contract obliging the agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (“the EU Data Protection Directive”);
  2. Safe Harbor certification by the agent, or being subject to another European Commission adequacy finding.

Where Onyx has knowledge that an agent is using or disclosing Personal Information in a manner contrary to this Policy, Onyx will take reasonable steps to prevent or stop such use or disclosure.

4. NON-AGENT TRANSFERS: In addition to the aforementioned uses outlined in Section 1, Onyx may transfer Personal Information to Data Controllers or Data Processors who are not agents for the following purposes:

  • Regulatory Reporting; or
  • Pre-employment reference checks; or
  • Merger, Acquisition, or Bankruptcy activities.

Where such transfers are made, Onyx will obtain assurances from such Data Controller or Data Processor that they will safeguard any disclosed Personal Information in accordance with this Policy.

5. SECURITY: Onyx will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration, or destruction which are proportional to the class, sensitivity, and the potential for harm to the employee of the Personal Information. Records containing Personal Information are considered Onyx property and should be afforded confidential treatment at all times, regardless of whether these records are in electronic or paper form.

6. DATA INTEGRITY: Onyx will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the employee. Onyx will take reasonable steps to ensure that personal data is relevant to its intended use, is accurate, complete and up-to-date. Onyx shall retain Personal Information as is commercially reasonable for the purposes which such Personal Information was originally collected, or was subsequently consented to by the employee. Onyx shall apply this policy to any Personal Information so retained.

7. ACCESS AND CORRECTION: Upon request, Onyx will grant employees reasonable access to the Personal Information that it holds about them. In addition, Onyx will take reasonable steps to permit employees to correct, amend or delete Personal Information that is demonstrated to be inaccurate or incomplete. Onyx may limit or deny access to Personal Information as permitted by the Safe Harbor Principles. For example, Onyx may limit an employee’s access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the employee’s privacy or where the legitimate rights of persons other than the employee would or could reasonably be expected to be violated.

Enforcement

Onyx will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy, including an annual self-assessment. Onyx will investigate any suspected breach of this Policy. Onyx will take all reasonable measures against any employee that Onyx determines is in violation of this policy, including disciplinary action. Onyx will take reasonable measures against any agent or non-agent Data Processor that Onyx determines is in violation of this policy, up to and including termination.

Dispute Resolution and Privacy Complaints

Any questions or concerns regarding the use or disclosure of Personal Information should be directed to the Onyx Data Protection Officer at the address given below. Onyx will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information, in accordance with the principles contained in this Policy.
For complaints that cannot be resolved between Onyx and the complainant, Onyx has agreed:

  1. To participate in the dispute resolution procedures established by the EU Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles in respect of Personal Information received from the EEA, and
  2. For Personal Information received from Switzerland, Onyx will cooperate with and comply with any advice given by the Commissioner in the investigation and resolution of complaints brought under the US – Swiss Safe Harbor.

Contact Information

Questions or comments related to this policy should be submitted to the Onyx Corporate Compliance Officer by mail as follows:
Corporate Compliance Officer
Onyx Pharmaceuticals, Inc.
249 East Grand Avenue
South San Francisco, CA 94080
USA

Limitations

Onyx’s adherence to the Safe Harbor Principles may be limited by any applicable legal, regulatory, ethical, or public interest consideration and as expressly permitted or required by any applicable law, rule or regulation.

Changes to this Policy

This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. Onyx will post any such changes to the corporate intranet for 30 days prior to any such changes going into effect.