Privacy Policy – Blueprint Medicines

Privacy Policy

Blueprint Medicines logo

Privacy Policy

Privacy Notice for EU, Swiss and UK Healthcare Professionals

Recruitment Privacy Notice for European Economic Area | Swiss | UK Residents

Privacy Notice for Medical Information, Pharmacovigilance Reports and Product Complaints

Our commitment to privacy

This corporate website (hereinafter referred to as the “Website”) is operated by Blueprint Medicines (UK) Ltd. (address: 55 Baker Street | London W1U 8EW | Tel: +44 776 834 0250 | email: info.uk@blueprintmedicines.com | URL: https://www.blueprintmedicines.co.uk) (“Blueprint Medicines”, “we”, “us”), a Blueprint Medicines company (https://www.blueprintmedicines.com), and aims to offer the website visitors (“you”, “your” or “Website users”) general information about the business activities of Blueprint Medicines as further described below. 

At Blueprint Medicines, we recognize the importance of, and are fully committed to protecting the privacy of personal data related to all individuals with whom we interact – including third party service providers, patients, clinical study participants, members of the public, employees, contractors, regulatory authorities’ representatives, healthcare organizations’ representatives, healthcare professionals and business partners.

Introduction

This Privacy Policy (the “Policy”) sets out how Blueprint Medicines collects, stores, processes, discloses and generally safeguards the personal data of the individuals with whom we interact. This Policy is designed to assist you in making informed decisions when using our Website or interacting with us.

Individuals are recommended to read carefully and fully understand this Policy before disclosing any personal data and/or filling in any electronic form posted on this Website. By visiting and browsing our Website or by providing us your personal data, you agree and consent to the collection, use and further disclosure of your personal information as outlined in this Policy.

Scope of this Policy

This Policy is specifically intended to provide information to our Website users, Blueprint Medicines’ shareholders, members of the public who interact with Blueprint Medicines, patients that use Blueprint Medicines’ products, clinical study participants of Blueprint Medicines sponsored clinical studies and persons with whom we do business such as suppliers, contractors, consultants, regulatory authorities, personnel, agents, delegates of suppliers and partners and visitors to Blueprint Medicines’ offices.

Personal data we collect

This Website has been designed with the main function of providing information on the activities of Blueprint Medicines. Therefore, in most cases, the collection of the user’s personal data will not be required.

However, we may collect and process the following personal data about you, including but not limited to:

  • General data such as name, postal and/or email address, phone number, date of birth, your communications preferences and queries you make to Blueprint Medicines;
  • Professional data, such as your business address, business email address, business phone numbers, job title/position, educational information, professional qualifications, work experience, affiliations, professional networks, programs and activities in which you participated;
  • Identification data, such as your registration/identification information (for example, identity card numbers) insofar as required for the delivery of services to Blueprint Medicines, including onsite access to Blueprint Medicines premises);
  • Financial information such as bank name, bank accounts, credit card numbers (for the purposes of services by third-party service providers); and
  • Digital data generated from your use of our Website or for the delivery of services to Blueprint Medicines, such as IP address, login user credentials, employee ID number, your browser type and version, time zone setting, time period of user’s staying on a single page, the internal path analysis and/or other parameters regarding the user’s operating system and computer environment, browser plug-in types and versions, operating system and platform and other data transmitted via cookies. This data is collected and used only in an aggregated and not immediately identifiable manner; they could be used among others to ascertain responsibility in case of hypothetical crimes against the site or upon public authorities’ request. You can learn more about how we use tracking technologies and Cookies to collect your personal data in our Cookie Policy.

Ways of obtaining your personal data

In most cases, Blueprint Medicines will collect data directly from you, although sometimes we will obtain data about you from publicly available or third-party owned data sources, including but not limited to:

  • Your employer, when we need to process personal data of our service providers’ personnel;
  • Blueprint Medicines may collect information about health care professionals from publicly available or third-party owned sources for marketing, and research purposes and to verify professional data (including, but not limited to access to publicly accessible data, national registries or third-party databases);
  • Health care professionals or other third parties may provide patient data to Blueprint Medicines where necessary under applicable drug safety and risk management laws;
  • Blueprint Medicines may collect data from your computer or any other devices you use when visiting Blueprint Medicines’ Website such as internet protocol (IP), domain name, internet service provider (ISP), data about date and time of your request and other information provided by tracking technologies. For more information, please see our Cookie Policy.
  • We may receive data from other Blueprint Medicines companies, located worldwide, in compliance with applicable data protection laws.

When you are asked to provide your personal data, you have the right to decline. But if you choose not to provide data that is necessary for us to provide the requested services, we may not be able to provide you such services.  

Purposes of processing your personal data

Blueprint Medicines will process your personal data only for purposes permitted by applicable laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and on the terms set forth in this Policy. The purposes of the data processing activities may include:

  • Managing our business and to provide you with requested goods and/or services:  to administer our business and services, including to carry out our obligations arising from any agreements entered into between you/your employer and Blueprint Medicines.
  • Managing our relationships/communications with individuals: for example, responding to questions and comments or inquiries about applications, studies or services, inviting individuals to Blueprint Medicines events, making proposals for future service needs.
  • For collaboration and research purposes: for example, to enable Blueprint Medicines to make more informed and objective decisions when identifying and/or engaging with health care professionals and key opinion leaders and managing or creating business relationships with healthcare professionals.
  • Careers & Recruitment: processing professional data to assess an individual’s suitability for job openings at Blueprint Medicines.
  • Market research: processing data about individuals for lawful market research purposes. We collect data through surveys and interviews with patients and healthcare professionals to get market insights and to help us improve our products and services.
  • Direct marketing: to provide promotional material and engage in marketing and promotional activities with individuals in accordance with applicable laws.
  • Website functions: to ensure that content from our Website is presented in the most effective manner for you and for your device.
  • Legal or regulatory obligations and the directions of law enforcement agencies and court orders: to comply with our legal or regulatory requirements (reporting for the safety of information and product quality complaints) or to fulfil transparency requirements with respect to transfers of value to HCPs by us).

Blueprint Medicines will process personal data for further purposes, where lawful to do so (such as for archiving, scientific research, statistical or historic purposes) or when legally obliged to do so (such as reporting information for Blueprint Medicines risk management and drug safety obligations).

Legal basis of processing

Blueprint Medicines processes your personal data based on one or more of the following legal grounds:

  • Where you have provided your express consent to a specific processing activity (in which case, such consent can be withdrawn at any time and without giving any reasons);
  • Where it is necessary to comply with our contractual obligations towards you;
  • Where the processing is necessary to ensure Blueprint Medicines’ compliance with its legal obligations;
  • Where the processing is necessary to protect the vital interests of an individual;
  • Where processing is necessary in the public interest or for a public task; or
  • Where the processing is in Blueprint Medicines’ legitimate interests; for example, Blueprint Medicines processes data for scientific and statistical research purposes, for scientific development, for the improvement of our products and services, to provide security measures to protect Blueprint Medicines’ employees, contractors, patients, information and other assets and to prevent crime (such as fraud, financial crime and theft of intellectual and industry property and to ensure the integrity of its manufacturing and other operations) or in other ways strictly necessary to carry out our business.

Special categories of data

In addition to the above, where Blueprint Medicines processes special categories of data about you (information about individuals’ health, ethnicity, religion, trade union membership, genetic and biometric data etc.) – it shall only do so in accordance with applicable laws and regulations. For such processing Blueprint Medicines relies on the following legal grounds:

  • Where individuals provide their explicit consent;
  • Where required for compliance with rights and obligations related to employment;
  • Where required for safeguarding the vital interests of any individual;
  • Where processing is necessary for the purposes of provision of healthcare or occupational medicine, pursuant to a contract with a healthcare professional; and
  • Where processing is necessary for scientific research.

Redirect to other websites

From this Website, you can connect through special links to other websites of third parties. Blueprint Medicines does not endorse or recommend these sites’ content or services and assumes no responsibility regarding the processing activities of personal data or any activity by or content on third-party sites to which our Website provides links. We encourage you to read and be aware of the privacy policy, and all other policies, of each site you visit. Remember, the statements in this Policy apply solely to information collected by Blueprint Medicines.

Place of data processing and ways of transmission

Blueprint Medicines (UK) Ltd. is located in the United Kingdom. Blueprint Medicines also operates through its affiliates in the United States and other countries around the world. Personal data about you may be accessible to Blueprint Medicines affiliates located in the European Union (“EU”)/European Economic Area (“EEA”) as well as, to the extent permitted by applicable data protection law, to Blueprint Medicines affiliates outside the EU/EEA, and to selected vendors and partners, established in the United Kingdom, EU/EEA or globally.

Where Blueprint Medicines processes personal information in countries that may not provide the same level of data protection as in the United Kingdom or in the country of origin of the individuals concerned, Blueprint Medicines will implement reasonable and appropriate legal, technical and organisational security measures with the aim to ensure the security of the processing and in particular to protect your personal data from unauthorised access, use or disclosure. In the absence of an adequacy decision adopted by the European Commission or another competent data protection authority, Blueprint Medicines will implement appropriate data transfer mechanisms (such as executing the UK’s new International Data Transfer Agreement (“IDTA”), and new International Data Transfer Addendum (the “UK Addendum”) for any cross-border data transfers from the United Kingdom to an affiliate or a third party (controller or processor) located in a non-UK or EU/EEA third country with the aim to secure such transfers and achieve an adequate level of data protection.

Contractual arrangements with third parties and international data transfers

As a data controller, Blueprint Medicines aims to establish a high level of data protection and privacy for its data subjects and partners alike. To that end, Blueprint Medicines has developed and uses specific privacy and security related language in its contractual arrangements with third party service providers acting for and on behalf of Blueprint Medicines as data processors in compliance with applicable data protection legislation.

Through its privacy-compliant contractual arrangements, Blueprint Medicines sets out the scope, subject-matter, duration and purpose of the data processing activities carried out by its data processors and their sub-processors (if any) as well as the types of personal data processed and the involved categories of data subjects. Moreover, details are provided with regard to the service providers’ obligations in their role as data processors which include indicatively their confidentiality obligations, the procedure to be followed in case of a data breach incident, cooperation regarding inquiries from data subjects and authorities, assistance for the performance of data protection impact assessments, international data transfer mechanisms to be executed in the case of cross border data transfers, specific rules for the due diligence and engagement of sub-processors, implementation of appropriate security measures and personal data breach indemnification commitments.

Our service providers are required to be transparent and inform us in advance about their affiliates and any external collaborators (acting as sub processors) that might be involved in processing activities. In case that a service provider and/or any of its collaborators, are located outside United Kingdom, we request where necessary that they also execute appropriate data transfer mechanisms with such third parties to cover any onward transfers; in particular, they are required to execute the EU Standard Contractual Clauses (SCCs) as approved by the European Commission, and/or the UK’s IDTA and the UK Addendum, as applicable,  in the absence of an adequacy decision and/or any other data protection related certifications. This approach establishes and maintains a high level of data protection and privacy for the individuals we interact within the United Kingdom, the EU and beyond.

Your personal information may be stored and processed in any country where we have facilities or in which we engage service providers. We will only transfer your personal information where we have established a legal basis and put in place adequate measures to protect your personal information as may be required by local law, but you should not use our Websites or Services if you do not want your personal information potentially transferred, or otherwise processed, in countries outside of your country of residence, which may have data protection laws that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your personal information.

If you are located in the EEA, your personal information may be transferred to Blueprint Medicines, Blueprint Medicines Security Corporation, and our affiliates, each a Data Controller, or to service providers in non-EEA countries that are recognized by the European Commission as providing an adequate level of data protection according to EEA standards. For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures to protect your personal information, such as standard contractual clauses adopted by the European Commission.

Additionally, Blueprint Medicines complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Blueprint Medicines has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Blueprint Medicines has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the DPF Principles Blueprint Medicines affirms the following:

  • We are subject to the jurisdiction and enforcement authority of the United States Federal Trade Commission.
  • We may be required to release personal information in response to lawful requests from public authorities including to meet national security and law enforcement requirements.
  • We remain liable for the onward transfer of EU, UK, and Swiss personal information to agent third parties unless we can prove we were not a party to the events giving rise to the damages.
  • We acknowledge the right of EU, UK, and Swiss individuals to access their personal data to update, correct or amend information that is outdated or incomplete and to request the erasure of data that has been handled in violation of the DPF Principles. If you wish to exercise your rights please complete our Data Subject Request Form or contact us as described in Contact Us section of this Privacy Notice.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Blueprint Medicines commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. EU and Swiss residents with inquiries or complaints should first contact Blueprint Medicines at privacy@blueprintmedicines.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Blueprint Medicines commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to BBB NATIONAL PROGRAMS, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.bbbprograms.org/dpf-complaints for more information or to file a complaint.  The services of BBB NATIONAL PROGRAMS are provided at no cost to you.

If your complaint involves human resources data transferred to the United States from the European Union or Switzerland in the context of the employment relationship, and Blueprint Medicines does not address it satisfactorily, Blueprint Medicines commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), and the Swiss Federal Data Protection and Information Commissioner and the UK Information Commissioner’s Office and to comply with the advice given by the DPA panel or FDPIC with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB NATIONAL PROGRAMS.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

Disclosure of your personal data

Blueprint Medicines discloses your personal data to third party recipients on a need-to-know basis where this is required by applicable law and/or as reasonably permitted to pursue its legitimate business aims. Your personal data will be disclosed only in accordance with applicable laws, and appropriate safeguards through contractual agreements, will be established to protect your personal data.

In order to conduct Blueprint Medicines’ business, Blueprint Medicines may also disclose personal data to third parties such as public/regulatory authorities/governmental bodies, third parties that provide services to Blueprint Medicines (such as but not limited to service providers, conducting audits, providing IT services, assisting in or managing our clinical studies, consulting/outsourcing companies, hosting service providers, event management agencies, travel agencies, banks and insurance companies and other support and administrative service providers that deliver support services to us), business partners and collaborators (such as external scientists, diagnostic labs), who review and assist Blueprint Medicines with health care compliance activities. Moreover, a disclosure of personal data may take place if Blueprint Medicines or substantially all of our assets are acquired by a third party, in which case personal data held by us about individuals will be included as transferred assets, or if Blueprint Medicines is under a duty to disclose or share individuals’ information in order to comply with any legal or regulatory obligation or request.

A detailed list of all third party recipients  and a copy of the relevant safeguards executed with them, as applicable, can be requested by contacting the Blueprint Medicines EU Privacy Office via email at EUPrivacy@blueprintmedicines.com.

Security and data retention

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy, applicable data protection laws and regulations as well as internationally approved security standards. All data you provide to us is stored on secure servers and accessed and used subject to our security policies and standards. Blueprint Medicines has implemented reasonable physical, technical and managerial controls and safeguards to keep your personal data protected from unauthorised access, disclosure, alteration, and destruction. Such measures may include, but are not limited to: firewalls, access controls, encryption of information while it is in storage, separation of duties, and similar security protocols. Access to your personal data is limited to a restricted number of Blueprint Medicines employees whose duties reasonably require to have access to relevant personal information and third parties with whom Blueprint Medicines contracts to carry out business activities on its behalf. We ensure that our employees and contractors are appropriately trained in the importance of privacy and how to handle and manage personal information appropriately and securely.

We will retain your personal data for the time strictly necessary to achieve the purposes for which the data was collected and any other permitted associated purpose. Data may be retained for a longer duration where applicable laws or regulations require or allow Blueprint Medicines to do so. When your data is no longer needed it will be either irreversibly anonymised (and the anonymised information may be retained) or securely disposed.

Automated decision making

Blueprint Medicines does not make through its Website or in general, decisions based solely on automated processing, including profiling, of your personal data; if we choose to do so we will inform you appropriately and obtain your prior permission as required by law.

Your data protection rights

Under applicable laws and subject to any legal restrictions, you may have the right to request us to:

  • Provide you with further details on the processing of your personal information;
  • Provide you access to and a copy of the personal data we hold about you;
  • Update any inaccuracies in the personal information we hold that is demonstrated to be inaccurate or incomplete;
  • Delete any personal information that we no longer have a lawful basis to use;
  • Provide you or a third party, with a copy of your data in a digital format (data portability);
  • Stop a particular processing when you withdraw your consent;
  • Object to any processing based on our legitimate interests or public interest to process information, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
  • Restrict certain aspects of the processing of your information.

In case we use your data for marketing purposes or if we intend to disclose your data to any third party for such purposes, we will inform you respectively and where necessary ask for your consent. In the case of direct advertising for our products and/or services through electronic communications (e.g. email), we will take all necessary steps to the extent required by applicable law, to offer you a method by which you can expressly consent to the receipt of further advertising material or the choice to refuse it. In any case, you always have the right to object to personal data being used for the purposes of direct marketing and sending scientific information and newsletters, and/or to withdraw your consent.

To exercise your rights, at any time, or to request additional information you may contact our EU privacy office via email at EUPrivacy@blueprintmedicines.com.

Please note that the exercise of your rights may be subject to certain conditions or may be restricted by law.

If we do not handle your request in a timely manner, or if you are not satisfied with our response to any exercise of these rights, you are entitled to submit a complaint with the competent data protection authority of your country of residence or place of work.

In the United Kingdom, the competent data protection authority is the Information Commissioner’s Office, which can be contacted as follows: 

UK Information Commissioner’s Office
Address: Water Lane, Wycliffe House, Wilmslow – Cheshire, SK9 5AF, United Kingdom
Phone: +44 1625 545 700, E-Mail: icocasework@ico.org.uk
Website: https://ico.org.uk/

Policy updating

Blueprint Medicines reserves the right to amend this Policy from time to time to reflect technological advancements, legal and regulatory changes, and Blueprint Medicines’ business practices, subject to applicable laws. If Blueprint Medicines changes its privacy practices, an updated version of this Policy will reflect those changes by posting any revisions on with the respective update of the effective date listed on the bottom of this Policy. We therefore encourage you to periodically visit this page to stay informed of how we are using your personal data.

Contact information

If you have any questions in relation to this Policy, or you want to obtain more information about Blueprint Medicines’ privacy practices, please contact our Blueprint Medicines privacy office by email at EUPrivacy@blueprintmedicines.com

Effective as of: February 6, 2025.