Menu Display

Breadcrumb

DPF Statement

Daiichi Sankyo, Inc. Data Privacy Framework Statement

Effective Date: March 5, 2026 (Pending DPF Certification)

EU-U.S. Data Privacy Framework (for personal information transferred from the European Economic Area to the U.S.)

UK Extension to the EU-U.S. Data Privacy Framework (for personal information transferred from the UK and Gibraltar to the U.S.)

Swiss-U.S. Data Privacy Framework (for personal information transferred from Switzerland to the U.S.)

Scope and Participation in DPF

Daiichi Sankyo, Inc. (“DSI” or “we”) participates in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”). DSI has certified to the U.S. Department of Commerce that DSI adheres to:

  1. the EU-U.S. Data Privacy Framework Principles with respect to personal data received from the European Economic Area (“EEA”) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and
  2. the Swiss-U.S. Data Privacy Framework Principles with respect to personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

NOTICE

DSI commits to adhering to the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse/Enforcement. We provide individuals notice regarding the personal data that we collect from them, how we use it, and how to contact us with privacy concerns through this statement and through other agreements or notices provided to the individuals and/or through our direct engagement with the individuals. DSI’s U.S. Privacy Notice is available at: https://daiichisankyo.us/privacy-notice

If there is any conflict between the terms of this Statement, DSI’s U.S. Privacy Notice, and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern. DSI’s compliance with the EU-U.S. DPF includes the UK Extension to the EU-U.S. DPF with respect to personal data received from the United Kingdom (and Gibraltar). To learn more about the Data Privacy Framework program, and to view our certification, please visit: https://www.dataprivacyframework.gov.

Types of Personal Data Collected

The categories of personal data we may collect (directly or indirectly) from individuals in the EEA, the United Kingdom, and Switzerland include, for example:

  • Contact Identifiers: Name, personal or business contact details (address, email, telephone).
  • Professional Information: Job title, employer, professional qualifications, and employment history (e.g. job applicants, employees, or healthcare professionals (“HCPs”) working as consultants or investigators for DSI).
  • Online Data: IP address, device identifiers, and browsing or interaction data from our websites or online services. Please note that DSI branded product websites and US websites are not intended for EU audiences nor are they actively marketed towards EU, UK, or Swiss data subjects.
  • Health and Medical Data: For research participants, pseudonymized clinical trial data or pharmacovigilance information (processed in accordance with DPF Supplemental Principles on Pharmaceutical and Medical Products, or as permitted by law).
  • Financial and Transaction Data: Payment information or account details if you receive consulting fees, sponsorship, or other payments from DSI.
  • Any other Personal Data you choose to provide to us (e.g. through inquiry forms, survey responses, or job application materials such as a CV).

DSI does not intentionally collect sensitive personal data from individuals in the EEA, the United Kingdom, or Switzerland except where necessary and lawful, for example in connection with pharmacovigilance, adverse event reporting, product complaints, employment-related obligations, or other legal or regulatory requirements. If we ever need to process Sensitive Personal Data (e.g. personal data revealing racial or ethnic origin, health, or precise geolocation), we will obtain your affirmative express consent (opt-in) or ensure another valid legal basis under DPF applies. We minimize collection to what is relevant for the purposes described below.

Purposes of Processing

We may process personal data received from the EEA, the United Kingdom, and Switzerland for the following business and compliance purposes, in each case as relevant to the relationship we have with you:

  • Service Delivery & Business Operations: Providing our products and services (such as managing clinical trials, patient support programs, and medical information requests), improving and developing new products, and personalizing content or user experience on our sites.
  • Communication & Marketing: DSI, as a U.S. based company, does not actively market or promote pharmaceutical products outside of the US. Nevertheless, we may process personal data received from the EEA, the United Kingdom, and Switzerland for managing our relationships with healthcare professionals (e.g. invitations to medical education events or research opportunities), conducting market research or surveys (with opt-out choices provided), or otherwise providing information you requested.
  • Recruitment & Talent Management: Processing job applications and talent community profiles (e.g. evaluating candidates, contacting referees, arranging interviews) and onboarding new hires. For additional information, please see the DS Global Candidate Privacy Notice.
  • Contractual and Customer Support: Fulfilling our contracts and transactions with business partners, healthcare providers, and customers, including payment processing, logistics, and responding to inquiries or support requests.
  • Legal Compliance & Regulatory Obligations: Meeting legal obligations such as adverse event/Drug safety reporting, transparency reporting (U.S. Sunshine Act disclosures), compliance with court orders and government requests, and record-keeping requirements.
  • Security and Fraud Prevention: Protecting DSI’s rights, privacy, safety, and property, ensuring the security of our IT systems and facilities, preventing fraud or misconduct, and complying with U.S. law enforcement or national security requests where lawfully required.

Purpose Limitation: We will only use personal data in a manner compatible with these purposes or as otherwise disclosed to you at the time of collection. If we intend to process your personal data for a purpose that is materially different from the purpose for which it was collected, we will provide you with further notice and the opportunity to opt out of such use (or opt in, if required for sensitive data).

Disclosure of Personal Data to Third Parties: DSI may disclose personal data received from the EEA, the United Kingdom, and Switzerland to third parties as described below and for the purposes set out in this Statement, consistent with the DPF Principles:

    • Within the Daiichi Sankyo Group: DSI may transfer personal data to Daiichi Sankyo affiliates and to third-party service providers for the purposes described in this Statement. Such recipients are required to protect the data in accordance with applicable law and applicable contractual or organizational safeguards. Where DSI makes onward transfers of personal data received under the DPF, DSI remains responsible as required by the DPF Principles, including the Accountability for Onward Transfer Principle.
    • Service Providers (“Agents” or Vendors): We use third-party service providers to perform certain business functions on our behalf, such as cloud hosting, data analytics, marketing support, travel/event management, background screening for applicants, or payroll processors. These providers will only process personal data pursuant to our instructions and for the purposes we specify, and they are contractually obligated to provide an equivalent level of privacy protection as required by DPF.
    • Business Partners and Collaborators: In some cases we may share data with joint marketing or development partners, such as co-promoter pharmaceutical companies or research collaboration partners, but only for the joint purposes disclosed (for example, co-organizing an event or co-developing a therapy). These partners will be contractually required to protect your data.
    • Legal and Regulatory Disclosure: We may disclose personal data to public authorities or other third parties when required by law, regulation, or legal process. This includes disclosures to regulators and government agencies (e.g. U.S. Food & Drug Administration, European Medicines Agency), to comply with reporting obligations (such as Sunshine Act payments or clinical trial transparency), or in response to lawful requests by public authorities (including to meet national security or law enforcement requirements under U.S. law). We will ensure any request is legally valid and limited to the necessary data.
    • Corporate Transactions or Other Situations: If DSI undergoes a business transaction such as a merger, acquisition, corporate reorganization, or sale of assets, personal data may be disclosed to prospective or actual purchasers (and their professional advisors) as part of due diligence or transfer, under appropriate confidentiality and only as permitted by law. We may also disclose data to protect the rights and safety of DSI, our employees, or others (for example, disclosing information to investigators in the event of a security incident or to attorneys in litigation).

Onward Transfer and Accountability: When we transfer personal data to a third-party agent or service provider, we will obtain assurances that the third party will safeguard the data consistently with this Policy and DPF Principles. Such assurances may include the third party’s certification under the DPF or a contract obligating them to provide at least the same level of protection as the DPF requires. DSI remains liable under the DPF Principles if any agent processes personal data received by DSI under the DPF in a manner inconsistent with those Principles, unless DSI proves that it is not responsible for the event giving rise to the damage.

Note: DSI does not sell personal information to third parties for monetary value, and does not share personal data received from the EEA, the United Kingdom, or Switzerland for targeted advertising purposes as DSI does not market or promote pharmaceutical products in the EU, UK, or Switzerland, in line with DPF Choice principles.

Summary of Data Disclosures

Contact and Identity Data

Name, contact info, unique IDs

Group affiliates; Service providers (e.g. cloud IT)

Business operations; account administration; customer support

Category of Personal Data

Examples

Shared With

Purpose of Sharing

Professional/Employment Data

Job history, qualifications, CV

HR and contract management service vendors; background check providers; relevant DS affiliates.

Recruiting and talent management; evaluating candidate suitability; contracting with HCPs for consulting and research

Health/Medical Data

Clinical trial data, adverse events

Research partners; regulators (e.g. FDA, EMA); safety monitoring vendors

Clinical research; pharmacovigilance reporting; ensuring patient safety

Online Usage Data

IP address, website interactions

Analytics providers; website support providers

Website administration; analytics; improving website functionality and user experience

Financial/Transaction Data

Payment details, transaction records

Payment processors; auditors

Fulfilling contractual payments; financial compliance audits

Regulatory Compliance Data

Government ID, legal documents

Regulators; law enforcement (if required)

Mandatory reporting; responding to lawful requests

Your Rights and Choices: Individuals in the EEA, the United Kingdom, and Switzerland have specific rights regarding their personal data. DSI is committed to honoring these rights, which include:

    • Right of Access: You have the right to obtain confirmation of whether DSI is processing your personal data, and to access that data. Upon request, we will provide you with a copy of the personal data we hold about you. This also allows you to verify the lawfulness of our processing.
    • Right to Correction: If any of your personal data is inaccurate or incomplete, you have the right to request a correction or update. We encourage you to keep your information with us up-to-date and will rectify errors upon verification.
    • Right to Deletion: You may have the right to request deletion of your personal data in certain circumstances – for example, if the data is no longer needed for the purposes collected. We will honor such requests to the extent allowed by law, and will inform you of any reasons we must retain certain data (e.g. to comply with legal obligations). In accordance with DPF Supplemental Principles applicable to Pharmaceutical and Medical Devices, these rights are limited for clinical trial participants.
    • Right to Object or Opt-Out: You have the right to opt out of certain uses or disclosures. You may refuse to share your personal data with third parties (except our agents) if the reason differs from its original purpose. As noted above, DSI does not actively market products in the EEA, UK or Switzerland. For any Sensitive Personal Data, we will obtain your affirmative consent before using or disclosing it for a purpose other than it was collected for or disclosing it to a third party.
    • Data Portability (if applicable): Where provided by law, you may request to receive your personal data that you have provided to us in a structured, commonly used, machine-readable format and to have it transmitted to another data controller when feasible.
    • No Automated Decisions: DSI does not make decisions based solely on automated processing of personal data that would have legal or similarly significant effects on you (for example, no automated hiring decisions without human involvement). With respect to clinical trials, a clinical trial subject may be randomized in accordance with the clinical trial protocol to determine whether they receive the experimental treatment or a different treatment.This randomization may involve an automatic process or evaluation of certain health data points (e.g. biomarkers) that is required in order to ensure the trial is conducted ethically and in compliance with good clinical practice standards.

To exercise any of these rights, please contact us using the information in the “How to Contact Us” section below. We will respond to your request within a reasonable timeframe, and in any case within the time limits set by applicable law (typically within 45 days under DPF, or the applicable GDPR timeframe). For security, we may need to verify your identity before fulfilling certain requests, and we will advise you if we need additional information to do so. Note that some rights may be subject to legal exceptions – for example, we might retain certain data if required by law or if needed to complete an ongoing transaction, despite a deletion request. In accordance with DPF Supplemental Principles applicable to Pharmaceutical and Medical Devices, these rights are limited for clinical trial participants. If we decline or limit your request, we will explain the reasons.

Data Security: We maintain reasonable and appropriate security measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. These include technical safeguards (like encryption, access controls) and organizational policies. While we strive to protect all information, no method of transmission or storage is 100% secure; however, DSI’s commitments under DPF require us to take all feasible steps to safeguard your data. If you have reason to believe your data has been compromised in dealings with us, please notify us immediately (see “How to Contact Us”).

How to Contact Us (Inquiries or Complaints): If you have any questions, concerns, or complaints regarding this Privacy Policy or our data practices under the DPF, please contact us. We welcome the opportunity to resolve any issue directly. You may reach us in any of the following ways:

    • Email: privacy_us@daiichisankyo.com
    • Mail: Daiichi Sankyo, Inc. – Privacy Office, 211 Mt. Airy Road, Basking Ridge, NJ 07920, USA.
    • EU/UK/Swiss Contact: You may alternatively contact our EU Data Protection team at Data-Protection@daiichi-sankyo.eu for issues related to personal data transferred from the EEA, the United Kingdom, or Switzerland. They can assist in your local language and will liaise with DSI to address your concerns.

DSI will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your personal data within 45 days of receiving your complaint. If you feel that we have not adequately addressed your complaint, please see the “Independent Recourse Mechanism” below for further dispute resolution options.

Independent Recourse Mechanism (Dispute Resolution):

If you have a question, complaint, or concern about DSI’s handling of your personal data under the DPF, you should first contact DSI using the contact details provided in this Statement.

Human resources data. With respect to human resources data received by DSI in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, DSI commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”) and the Gibraltar Regulatory Authority (“GRA”), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), as applicable.

Non-human resources data. For complaints concerning non-human resources data received under the DPF that cannot be resolved directly with DSI, DSI has further committed to refer unresolved complaints to JAMS, an independent alternative dispute resolution provider based in the United States. Information on how to open a dispute resolution case is available at https://www.jamsadr.com/dpf-dispute-resolution.

Under certain conditions, individuals may also be able to invoke binding arbitration for residual claims not resolved by other available redress mechanisms. See DPF Principles Annex 1 at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

U.S. Federal Trade Commission Enforcement: DSI’s DPF compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). DSI has declared its participation in the DPF to the Department of Commerce; any failure to comply with the Principles is enforceable under U.S. law prohibiting unfair or deceptive acts. This provides an additional layer of accountability – the FTC may investigate and sanction non-compliance with our DPF commitments. DSI also commits to respond cooperatively to any inquiries by the Department of Commerce or FTC.

Required Disclosure: In certain situations, DSI may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We will verify the legal validity of any such request and challenge it if it appears invalid or overbroad, consistent with our commitment to your privacy.

No Conflict with Other Policies: In the event of any conflict between this Statement and DSI’s U.S. Privacy Notice or other company privacy notices (insofar as they pertain to personal data from the EEA/UK/Switzerland), this DPF Statement shall govern such data. We also adhere to any more stringent requirements of applicable EEA, Swiss or UK data protection laws for such data.

Updates to this Statement: We may update this DPF Statement as needed to reflect changes in our practices or updates required by the DPF program. When we do, we will change the “Effective Date” and post the revised policy on our website. If we make material changes, we will provide a clear notice (e.g. on our website or via email) and, if necessary, obtain any required consent.