Privacy Notice for Patients and Patient Representatives

We (Galapagos NV located Generaal De Wittelaan 11 A3, 2800 Mechelen, “Galapagos”, “we,” or “us”) are committed to ensure the protection of personal data of all individuals who are currently collaborating with us, including patients and patient representatives. Your personal data are handled and protected with the utmost care, in accordance with the requirements imposed by European and local data protection laws.

In this privacy notice we explain the principles that we apply, in our capacity as a controller, when we process patients and patient representative’s personal data. It applies to all personal data that is collected and processed in any format, whether electronic or paper.

1. The personal data we collect

We process the personal data us only for specific purposes and only if we have a legal basis to do so. 

Our purposeCategories of personal data we collect from youOur legal basis to process your personal data
Get your input and insights in patient-related mattersPersonal identification data and contact details ( e.g name, surname, title, photo, email address and profession)Your input and insights in patient-related mattersOur legitimate interest to receive information on patient related matters in order to develop medicines
Get your testimony about your diseasePersonal identification data and contact details (e.g. name, surname, title, photo, email address and profession)Video and/or audio recordingsYour health data (e.g. your disease, your symptoms and the medical treatment you follow)In some cases, your financial data (e.g. your IBAN number)Your explicit consent

2. How long we keep your personal data

We will keep your personal data as long as we have a legitimate interest to keep it unless you withdraw the consent you gave us to process your personal data. We frequently review the personal data we hold and delete it when we no longer need it.

3. Sharing your personal data with third parties

We obtain assistance or call on third parties as virtual platforms (e.g.Within3) for the abovementioned purpose. These third parties will be required to process your personal data only in accordance with our instructions and must maintain reasonable security of your personal data.

It may occur that data about you is shared within the Galapagos group of companies if this is necessary to achieve specific purposes. We take appropriate measures to ensure that all the entities of the Galapagos group are submitted to the same or equivalent data protection rules. If the entity is located outside the EEA, we will take the necessary measures to ensure the equivalent protection as within the EEA.

As a general rule, the data that we collect from you is not transferred outside the EEA. If we, in exceptional circumstances, do transfer data outside the EEA, we will appropriately inform you about this and we will ensure it is protected employing the following safeguards:

  • transfer the data to a non-EEA country which has been awarded an adequacy decision by the European Commission;
  • put in place appropriate contractual measures, including standard contractual clauses, with the third party or the Galapagos entity to ensure that the third party or the Galapagos entity protect the personal data to the same standards as those required within the EEA.

4. Security of your personal data

We acknowledge our responsibility to ensure an appropriate level of security with regard to your personal data. Therefore, we have implemented various technical and organizational security measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data.

5. Your rights

When we collect and use your personal data, you enjoy a number of rights which include:

  • right of access: you can request a copy of your personal data undergoing processing and/or demand access to your personal data;
  • right to rectification: you are entitled to have incorrect personal data corrected or completed;
  • right to erasure (right to be forgotten): you have the right to have your personal data removed from our files. However, this right is not absolute, and some conditions must be met for this right to apply;
  • right to restriction of processing: you have the right to request for the restriction of the processing of your personal data. Requests to restrict processing will only be granted where the requesting data subject has legitimate grounds to make such request;
  • right to data portability: for personal data that you have provided to Galapagos, you have the right to receive your personal data, processed by Galapagos, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller;
  • right to object: under certain circumstances, you have the right to object to the processing of your personal data. Please note that this request may be refused if the data is necessary to be processed by Galapagos for compelling legitimate reasons, or the establishment, exercise or defense of legal claims;
  • automated individual decision-making: you have the right not to be subject to a decision based solely on automated processing including profiling;
  • right to withdraw consent: with regard to the processing of personal data for which you have given your consent, you may withdraw your given consent at any time. However, this withdrawal does not affect any processing operations previously carried out on the basis of your consent;
  • right to lodge a complaint: if, at any time, you are of the opinion that we infringe your privacy, you have the right to lodge a complaint with the national supervisory data protection authority. The contact details of the supervisory authorities in Europe, can be found here: Members | European Data Protection Board (

You can exercise those rights by sending a request to our Data Protection Office at After verifying your identity and applicability criteria, we will answer your request within one month of receipt of your email.

6. Changes to this Privacy Notice

Changes to this Privacy Notice can be made from time to time, in accordance with European and local data protection laws. When we change the content of this Privacy Notice, we will change the date and version number of the ‘last update’ of this Privacy Notice.

7. Contact

If you have any questions or comments with regard to the contents of this Privacy Notice, you can contact our Data Protection Office by sending an email to