Effective as of February 3, 2023.

This “Privacy Statement” describes the privacy practices of Merus N.V. and our subsidiary Merus US, Inc. (collectively, “Company”, “we”, “us”, or “our”) relating to our online practices, clinical research activities, and relationships with our suppliers, vendors, service providers and other persons and entities doing business with us. This Privacy Statement describes, under and in accordance with the requirements of applicable law, how we collect, use, disclose and otherwise process personal information in connection with our websites and other services and activities, and explains the rights and choices available to individuals with respect to their information. For convenience, our websites are collectively referred to as the “Sites,” and, together with our other services and activities, collectively referred to as the “Services.” This Privacy Statement governs any of the Services on which the Privacy Statement is posted.

In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data, such as if you participate in a clinical trial. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. This type of an “in-time” notice or agreement will govern how we may process the information you provide at that time or in that context. To the extent that there is any conflict between the “in-time” privacy notice or agreement and this Privacy Statement, the “in-time” privacy notice or agreement shall prevail. This Privacy Statement also does not supersede or alter the terms of any contracts we enter into with persons or entities doing business with us.

Additional information related to European data protection legislation is provided here and additional information for California residents is provided here.

Personal Information We Collect

We collect personal information about the following types of individuals: clinical trial participants, clinical trial investigators, researchers, and other individuals who interact directly with us or our service providers or persons or entities doing business with us. We collect personal information:

  • Directly from individuals
  • Through the Sites
  • From contract research organizations and clinical trial investigators
  • From government agencies or public records
  • From third party service providers, data brokers or persons or entities doing business with us
  • From industry groups and associations

Types of Personal Information We Collect

The types of personal information we collect and share depend on the nature of the relationship you have with us and the requirements of applicable laws. We may collect:

(i) Information in the context of our clinical research

  • Health and medical information (such as medical insurance details, information about physical and mental health conditions and diagnoses, treatments for medical conditions, genetic information, family medical history, and medications an individual may take, including the dosage, timing, and frequency)
  • Personal and business contact information and preferences (such as name, job title and employer name, email address, mailing address, phone number, and emergency contact information)
  • Biographical and demographic information (such as date of birth, age, gender, marital status)
  • Professional credentials, educational and professional history, and institutional affiliations
  • Financial disclosure/transparency information
  • Other information you may provide to us (such as in emails, on phone calls, or in other correspondence with the Company or its service providers or persons or entities doing business with us)

(ii) Information you give us when visiting Sites

  • Personal and business contact information, such as your first name, last name, postal address, email address, telephone number, fax number, job title, and employer name, to the extent that you choose to submit it to us
  • Feedback and correspondence, such as information you provide when you request information for investors, report a problem with the Sites, or otherwise correspond with us
  • Usage information, such as information about how you use the Sites and interact with us
  • We ask that you not send us, and you not disclose, any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, or trade union membership) or personal data relating to criminal convictions and offences (e.g., criminal background) on or through the Site or otherwise to us in connection with your usage of the Sites.

(iii) Information we get from others

We may also get information about you from other sources, for example Google Analytics, and we may add this to information we get from our Site or the Services. See Cookies and Similar Technologies.

We may combine other publicly available information, such as information collected through publicly accessible sources and registers, such as public agencies or authorities, or information related to the organization for which you work, with the personal information that you provide to us through our Services.

(iv) Information automatically collected

We and our service providers may use cookies and similar technologies to automatically log information about you, your computer or mobile device, and your activity over time on the Sites and other online services, when you access our Sites. For example, we and our service providers may log your internet protocol address, pages you viewed, access times, and the website you visited before visiting our Sites if you clicked on a hyperlink to visit our Sites. Please refer to the Cookies and Similar Technologies section for more details.

(v) Information you provide to us if you conduct business with the Company

If you do business with the Company, we need to process certain personal data in the context of our relationship with you: contact information; financial information (for payment and billing purposes); personal information that may be gathered in relation to our partnership, transaction or interaction, such as through written communication, invitations and subscriptions to any events and publications, information gathered while facilitating your visits to our offices, including your access to a guest wireless internet network. You are requested (insofar as applicable) to kindly communicate the information in this Privacy Statement to individuals working for or engaged by you or related to you whose personal data are or may be processed by us.

Cookies and Similar Technologies

What are cookies?

Information about you and your computer may be collected by using “cookies.”  Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We use third-party cookies which are provided by external parties. These third-party cookies are used by us for analytics and by third-party providers for analytics purposes, including to track unique visitors across our Sites.

Cookies we use

Our Sites use the following types of cookies for the purposes set out below:

Name/Type of cookie Purpose Cookie lifetime
CookieLawInfoConsent

/ functional cookie

GDPR Cookie Consent – used to check whether a cookie can be placed. This cookie only works in coordination with the primary cookie ‘viewed_cookie_policy’ (please see below for more information about this primary cookie). 1 year
Cookielawinfo-checkbox-necessary / functional cookie GDPR Cookie Consent – Used to check if cookies can be placed. This cookie records the preference of an user with regard to necessary cookies. This cookie only works in coordination with the primary cookie ‘viewed_cookie_policy’ (please see below for more information about this primary cookie). 1 year
Cookielawinfo-checkbox-non-necessary / functional cookie GDPR Cookie Consent – Used to check if cookies can be placed. This cookie records the preference of an user with regard to necessary cookies. This cookie only works in coordination with the primary cookie ‘viewed_cookie_policy’ (please see below for more information about this primary cookie). 1 year
Viewed_cookie_policy / functional cookie GDPR Cookie Consent – Used to store if the cookie-banner/message has been shown and stores the user’s consent to the use of cookies. No personal information is collected and its activation depends only on the user’s action (accept/reject). 1 year
_ga / analytical cookie Google Analytics – used to distinguish users 2 years
_gid / analytical cookie Google Analytics – used to distinguish users 24 hours
_gat / analytical cookie Google Analytics – used to throttle request rate 1 minute

Opting Out

Some of the third-party providers that collect information about users’ activities on or through our Sites may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior. Please visit our Online Tracking Opt-Out Guide for information about opting out of, or blocking, cookies and similar technologies on our Sites. Please note that we also may work with companies that offer their own opt-out mechanisms and may not participate in the opt-out mechanisms that we linked to in our guide.

Do Not Track Signals

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We do not track unique users of our Sites, except as described above in the Cookies we use section. We currently do not respond to do not track signals.

How We Use Your Personal Information

To provide our Services

If you use our Sites, we use your personal information to:

  • Operate, maintain, administer and improve the Sites;
  • Provide support and maintenance for the Sites and our Services; and
  • Respond to your requests, questions and feedback.

If you request information from us, we may send you the relevant information in response to such request. If you indicate that you also want to receive other Company-related information, we may also send you such Company-related information. You will have the ability to opt out of such communications by emailing us at privacy@merus.nl, or clicking the “unsubscribe” link at the bottom of any email. You may continue to receive transactional communications.

To perform and administer clinical trials and research activities

We may use personal information of clinical trial participants, investigators, researchers, and other individuals when necessary to facilitate our clinical trials, research, studies, and related activities, including to:

  • Staff and manage clinical trials, including by recruiting investigators and participants;
  • Support symposia, conferences, and scientific, educational and volunteer events;
  • Identify and engage thought leaders and external experts;
  • Attribute authorship to academic materials
  • Comply with regulatory monitoring and reporting obligations, such as those related to adverse events and financial disclosures.

To conduct our business activities

If you or your employer does business with us, we may use your personal information to:

  • Negotiate, manage, and/or perform our contractual relationship with you (or the entity you work for);
  • Manage and administer our relationship with you, including with respect to invoicing and payment;
  • Provide access to our offices and/or certain information technology systems.

To comply with law

We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or other requests from government authorities or auditors.

With your consent

We may use or share your personal information with your consent, such as when you instruct us to take a specific action with respect to your personal information.

For compliance, fraud prevention and safety

We use your personal information as we believe necessary or appropriate to (a) enforce the terms and conditions that govern the Services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

How We Share Your Personal Information

Except as described in this Privacy Statement or in any other contracts or privacy notices that govern our relationship with you, we do not share the personal information that you provide to us with other organizations. We disclose personal information to third parties under the following circumstances:

  • Affiliates. We may disclose your personal information to any of our corporate affiliates for purposes consistent with this Privacy Statement.
  • Service Providers. We may employ third-party companies and individuals to administer and provide the Services on our behalf, including:
    • Contract research organizations and vendors that support clinical trials and related research;
    • Data storage and analytics;
    • Technology services and support (such as training, customer support, hosting, email delivery and database management services)

These third parties may use your information only as directed by the Company and in a manner consistent with this Privacy Statement, and are prohibited from using or disclosing your information for any other purpose.

  • Professional Advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
  • Compliance with Laws and Law Enforcement; Protection and Safety. We may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to: (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern the Services; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
  • Business Transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy, in which case we will make reasonable efforts to require the recipient to honor this Privacy Statement.
  • Employees/Consultants. We may disclose your personal information to our employees, consultants and other people working for us, who need to have access to your information or have a legitimate interest in having access to your information. All these persons are bound by confidentiality obligations.

Your Choices

Access, Update, Correct or Delete Your Information

You may review, update, correct or request the deletion of your personal information by contacting us at privacy@merus.nl or if you have additional requests or questions.

Choosing not to share your personal information

Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Services to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with the Services. We will tell you what information you must provide to receive the Services by designating it as required in the Services or through other appropriate means.

Security

The security of your personal information is important to us. We take appropriate and commercially reasonable organizational, technical and physical measures designed to protect the personal information we collect, both during transmission and once we receive it, in accordance with requirements under law. However, no security safeguards are 100% secure and we cannot guarantee the security of your information.

Children

At this time, we do not knowingly collect personal information from children under 16. If a parent or guardian becomes aware that his or her child has provided us with information without parental or guardian consent, he or she should contact us at privacy@merus.nl. We will delete such information from our files as soon as reasonably practicable.

Investors

You may provide information to us when you visit the Investors & Media page of our Site, such as your name, company, email address, and other information you choose to provide in the “Contact Us” form. We use this information to provide our Services, conduct our business activities, to comply with law and for other compliance, fraud prevention, and safety purposes. We may share this information with our affiliates, service providers, professional advisors, employees/consultants, to comply with law and law enforcement, for protection and safety purposes, and in the event of a business transfer, each as explained in the “How We Share Your Personal Information” section below.

International Data Transfer

Merus N.V. is headquartered in the Netherlands and has affiliates and service providers in other countries, and your personal information may be transferred to the United States or other locations outside of your state, province, country or other governmental jurisdiction where privacy laws may not be as protective as those in your jurisdiction.

Whenever we transfer your personal information out of the EEA, Switzerland or the UK to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the European data protection laws, such as the specific contracts approved by the European Commission as providing adequate protection for transferring personal information.  For details, see the European Commission’s website for model contracts for the transfer of personal information to third countries.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA, Switzerland or the UK.

Retention

We will retain your personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we will consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.

Other Sites and Services

The Sites may contain links to other websites and services. These links are not an endorsement, authorization or representation that we are affiliated with that third party. We do not exercise control over third-party websites or services, and are not responsible for their actions. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies of the other websites you visit and services you use.

Additional Information Related to European Data Protection Legislation

Personal information

References to “personal information” in this Privacy Statement are equivalent to “personal data” governed by European data protection legislation.

Controller and Data Protection Officer

The Company is the controller of your personal information for purposes of European data protection legislation. See the Contact Us section below for contact details.

Purposes and Legal Grounds of Processing Personal Information

Purposes of processing
We process your personal information for the following purposes:

  • Identification of the individual involved, e.g., entity or person transacting business with the Company;
  • Contract administration and collaboration (e.g., negotiation of the agreement, exchanges in the context of the execution of the agreement and the termination of the agreement);
  • To perform our contractual relationship with you (or the company you work for) and/or to provide and improve our Services;
  • To manage and administer our relationship with you, including the monitoring and payment of invoices;
  • To comply with applicable laws and regulations and our obligations thereunder (e.g., financial accounting obligations, regulatory monitoring and reporting obligations);
  • To keep our internal records updated with correct information and to prepare internal management reporting;
  • To give and administer access to our IT services or applications, as well as to maintain and protect them;
  • To provide and improve our Sites (e.g., by generating statistics regarding the use of the Sites);
  • To perform statistical and other research;
  • Granting physical access rights, such as providing access to buildings and / or parking locations;
  • Security, surveillance and protection of buildings, businesses and natural persons;
  • For the establishment, exercise or defense of legal claims;
  • To provide our Services;
  • To perform and administer clinical trials and research activities;
  • To operate our Sites;
  • To communicate with you;
  • For fraud prevention and safety;
  • Any other specific purposes for which we have obtained your consent (or, if required, explicit consent).

Legal grounds of processing
We process your personal information based on one or more of the following legal grounds:

  • To perform our obligations under an agreement or to take steps at your request prior to entering into such agreement;
  • To comply with legal obligations we are subject to, such as regulatory monitoring and reporting obligations, or complying with requests from governmental authorities;
  • To protect your, or another person’s, vital interests;
  • For scientific or historical research purposes or statistical purposes;
  • When we have legitimate interests to process your personal information, e.g.:
    • management and administration of our relationships with you;
    • our commercial interest, including in relation to the improvement of our Services and for statistical purposes;
    • for internal communications;
    • when providing information to auditors;
    • in relation to lawful requests and legal process, such as to respond to claims, subpoenas or other requests from government authorities;
    • for compliance, fraud prevention and safety;
    • in the course of a (potential) sale or transfer or some or all of our business or assets, in connection with a (potential) business deal;

except where such interest is overridden by your interests or the protection of your fundamental rights and freedoms as data subject (unless we have your consent or are otherwise required or permitted to by law); and;

  • When you have given your consent, or, where applicable, your explicit consent, for the processing of personal information for a specific purpose. Where we rely on your consent you have the right to withdraw it to any further processing in the manner indicated in the Services or by contacting us at privacy@merus.nl.

Use for new purposes
We may use your personal information for reasons not described in this Privacy Statement where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and provide the applicable legal basis, as well as the other required statutory information.

Your rights

European data protection laws may give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:

  • Opt-out. Stop sending you direct communications. You may continue to receive Service-related emails, if applicable.
  • Access. Provide you with information about our processing of your personal information and give you access to your personal information.
  • Correct. Update or correct inaccuracies in your personal information.
  • Delete. Delete your personal information.
  • Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal information.
  • Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
  • Withdraw consent. If our processing of your personal information is based upon your consent for an explicit purpose you may withdraw your consent to any further processing, subject to applicable law

You can submit these requests by email to privacy@merus.nl or our postal address provided below. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us as described below or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

Changes to this Privacy Statement

We reserve the right to modify this Privacy Statement at any time in our sole discretion. We encourage you to periodically review this page for the latest information on our privacy practices within the scope of this Privacy Statement. If we make material changes to this Privacy Statement you will be notified through the Services in a manner that we believe reasonably likely to reach you (which may include posting a new privacy statement on our Sites, or a specific announcement on this page or elsewhere on our Sites).

Any modifications to this Privacy Statement will be effective upon our posting of the new terms and/or upon implementation of the changes on the Services (or as otherwise indicated at the time of posting). In all cases, your continued use of the Services after the posting of any modified Privacy Statement indicates your acceptance of the terms of the modified Privacy Statement.

Contact Us

If you have any questions or concerns at all about our Privacy Statement, please feel free to email us at privacy@merus.nl, or write to us at:

Data Protection Officer
Merus N.V.
Uppsalalaan 17
3rd & 4th Floor
3584 CT Utrecht
The Netherlands

Notice to California Residents

We are required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”), to provide to California residents an explanation of how we collect, use and share their personal information, and of the rights and choices we offer California residents regarding our handling of the personal information.

In accordance with the CCPA, this Notice to California Residents and the rights set out below do not apply to the information we collect in connection with clinical trials, or to any health or medical information we collect that is otherwise governed by California’s Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996.

We do not “sell” or “share” personal information, as the terms are defined by the CCPA. As we explain in this Privacy Statement, we only use cookies and other tracking technologies to analyze website traffic. If you would like to learn how you may opt out of our use of cookies and other tracking technologies, please review the instructions provided in the Online Tracking Opt-Out Guide below.

California Residents’ Privacy Rights

The CCPA grants individuals whose information is governed by the CCPA the following rights. We extend these rights only to our business contacts and to individual investors who provide information through our Site:

  • Information. You can request information about how we have collected, used and shared and used your personal information during the past 12 months. We have made this this information available to California residents without having to request it by including it in this Privacy Statement.
  • Access. You can request a copy of the personal information that we maintain about you.
  • Deletion. You can ask us to delete the personal information that we collected from you.
  • Correction. You can ask us to correct personal information that is inaccurate or out of date.

Please note that the CCPA limits these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. If we deny your request, we will communicate our decision to you.

You are entitled to exercise the rights described above free from discrimination.

How to Submit a Request

If you are a business contact or an investor and you would like to exercise the privacy rights listed above:

Identity verification. The CCPA requires us to verify the identity of the individual submitting a request to exercise their privacy rights before providing a substantive response to the request.

Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.

The chart below summarizes the information we collect by reference to the categories of “Personal Information” specified in the California Privacy Rights Act. Please make sure to read the entire Privacy Statement for complete information.

Data Categories Collected? How We Collect Primary Purposes of Processing Primary Recipients / Disclosures Can You Limit Sharing?
Identifiers such as a real name, Internet Protocol address, email address, or other similar identifiers Yes When you visit our Sites or do business with us To provide our Services, conduct our business activities, and comply with law Service providers No
Commercial information, including but not limited to records of products or services purchased Yes When you visit our Sites or do business with us To provide our Services, conduct our business activities, and comply with law Service providers No
Internet or other electronic network activity information, including but not limited to browsing history and search history Yes When you visit our Sites or do business with us To provide our Services, conduct our business activities, and comply with law Service providers No
Geolocation data Yes When you visit our Sites or do business with us To provide our Services, conduct our business activities, and comply with law Service providers No
Professional or employment-related information Yes When you visit our Sites or do business with us To provide our Services, conduct our business activities, and comply with law Service providers No
Education information We do not process
Characteristics of protected classifications under California or federal law We do not process
Biometric information We do not process
Audio, electronic, visual, thermal, olfactory or similar information We do not process
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer We do not process
Sensitive personal information We do not process, except in the context of our clinical research

 

Online Tracking Opt-Out Guide

Like many companies online, we use services provided by companies such as Google that use tracking technology. These services rely on tracking technologies – such as cookies – to collect directly from your device information about your browsing activities, your interactions with websites, and the device you are using to connect to the Internet. There are a number of ways to opt out of having your online activity and device data collected through these services, which we have summarized below.

  • Blocking cookies in your browser. Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
  • Using privacy plug-ins or browsers. You can block our Sites from setting cookies by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery or uBlock Origin, and configuring them to block third party cookies/trackers.
  • Platform opt-outs. The following third-party analytics providers offer opt-out features that let you opt-out of use of your information:

Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt-out on every browser and device that you use.