Data Privacy Framework Policy

CELLDEX THERAPEUTICS, INC.

Updated as of July 27, 2023

  1. Certification to DPF

    Celldex Therapeutics, Inc. (“Celldex,” “we,” “us,” or “our“) is committed to respecting and protecting the privacy of those who entrust us with their personal information.

    Accordingly, Celldex complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF“), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF“) as set forth by the U.S. Department of Commerce.

    Celldex has certified to the U.S. Department of Commerce that it adheres to:

    • the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles“) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and
    • the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles“) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF.

    If there is any conflict between the terms in this Data Privacy Framework Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “Principles“), the Principles shall govern.

    To learn more about the Data Privacy Framework (“DPF“) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

  2. Definitions

    For purposes of this DPF Policy, the following terms have the following meanings:

    • “personal information” includes only personal information received by Celldex under the DPF; and
    • “sensitive personal information” includes (i) personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual; and (ii) any personal information received from a third party where the third party identifies and treats it as sensitive.
  3. Scope of Commitment

    Where Celldex relies on the DPF for transfers of personal information from the European Economic Area (“EEA“), Switzerland and/or the UK, we will notify you of this in the relevant privacy notice provided to you (e.g., in our website privacy policy, informed consent form or privacy notice for healthcare professionals) (“Relevant Privacy Notice“). The Relevant Privacy Notice will detail:

    • the types of personal data to be transferred under the DPF;
    • the purposes for which the personal information are collected, used and transferred;
    • the duration for which we retain your personal information;
    • the third parties to whom we onward transfer your personal information; and
    • how and when individuals can limit such uses and disclosures of personal information.
  4. Choice and Consent

    As applicable and subject to any limitations / restrictions available under the DPF, Celldex will offer an individual the opportunity to:

    • opt-out of having their personal information disclosed to a third party controller;
    • opt-out of having their personal information used for a purpose materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual;
    • opt-in to having their sensitive personal information disclosed to a third party controller or processor other than where the processing is e.g., required to provide medical care or diagnosis (such as, in the context of Celldex-sponsored clinical trials); and
    • opt-in to having their sensitive personal information used for a purpose other than those for which it was originally collected or subsequently authorized by the individual.
  5. Onward Transfers of Personal Information to Third Party Controllers

    Where we onward transfer personal information to a third party controller (e.g., an affiliate, public authority, acquiring entity) we will as required:

    • comply with the Notice and Choice Principles (see above); and
    • enter into a contract with the third-party controller that provides (amongst other things) that such personal information may only be processed for specified purposes and, that the recipient will provide the same level of protection as the Principles.

    Details around the third party controllers to whom we may disclose personal information is provided in the Relevant Privacy Notice.

  6. Onward Transfers of Personal Information to Third Party Agents / Processors

    Where we onward transfer personal information to a third party agent / processor (e.g., an IT hosting provider, contract research organization), we will as required (amongst other things):

    • transfer such personal information only for limited and specified purposes;
    • take reasonable and appropriate steps to ensure that the agent / processor processes the personal information transferred in a manner consistent with our obligations under the Principles; and
    • take reasonable and appropriate steps to stop and remediate unauthorized processing by the agent / processor; and
    • provide a summary of the relevant privacy provisions of our contract with an agent /processor to the U.S. Department of Commerce upon request.

    Celldex shall remain liable under the Principles if our agent / processor processes such personal information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

    Details around the agents / processors to whom we may disclose personal information is provided in the Relevant Privacy Notice.

  7. Access to Personal Information

    Individuals can update, correct, and access the personal information about them that Celldex receives under the DPF, and may be able to correct, amend, or delete that personal information where it is inaccurate or has been processed in violation of the Principles, except where, for example, the rights of persons other than the individual would be violated, the request is vexatious or fraudulent, the processing is being carried out solely for research purposes, or the request relates to personal information in a “blinded” clinical trial. We may require payment of a non-excessive fee to cover our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.

  8. Integrity of Personal Information

    Celldex will make reasonable efforts to ensure that personal information it processes is (i) reliable for its intended use, accurate, complete, and current; and (ii) kept only for the period necessary for permitted purposes.

  9. Security of your Personal Information

    Celldex will implement reasonable and appropriate measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal information.

  10. Product Safety and Efficacy Monitoring

    As a pharmaceutical company, Celldex does not have to apply the Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to Celldex, and with respect to reports by Celldex to government agencies like the FDA.

  11. Disclosure to Public Authorities.

    We are required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal information to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

  12. Inquiries and Enforcement

    The Federal Trade Commission has jurisdiction over Celldex’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Celldex commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Celldex at .

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Celldex commits to refer unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to Data Privacy Framework Services, operated by BBB National Programs – an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information or to file a complaint. The services of Data Privacy Framework Services are provided at no cost to you.

    If your  DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

  13. Changes to this DPF Policy

    Celldex periodically evaluates its privacy policies and procedures to implement improvements and refinements from time to time. When this DPF Policy is amended, we will revise the “last updated” date at the top of this DPF Policy. For material changes to this DPF Policy, we will notify individuals by placing a notice on the website.

  14. How to Contact Us

    If you have questions about this Privacy Policy, please e-mail us at