Last Update : 18/02/2021

1. Privacy & Cookie Statement

2. Privacy Notice for Health Care Professionals


1.Privacy & Cookie Statement

Galapagos (“the Company,” “we” or “us”) values your privacy and we want to be transparent about the information we collect, why we collect it, and how the information is used. For the personal data collected through this website, Galapagos NV, Generaal De Wittelaan 11 A3, 2800 Mechelen will act as the controller. In this way, we control the process by which your personal data is collected and the purposes for which your personal data is used.

Furthermore, we want you to know your rights regarding your personal data. This Privacy Statement addresses how we handle and protect personal data collected via the Galapagos website (“the Site”) or a related website controlled by the Company or personal data collected in the provision of any support or other services (“Services”). We strongly recommend that you read this Privacy Statement and, if you have any questions, contact us via

We confirm that personal data will be dealt with in accordance with the Belgian, European, UK, and relevant United States privacy laws and regulations, including Belgian law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, the Data Protection Act 2018 (UK),  and the Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data - General Data Protection Regulation (GDPR).


Information we collect

Personal data includes any information relating to an identified or identifiable natural person (also known as a “data subject”). This may include, but is not limited to: your name, address, email address, phone number, identification number or location data. More information on personal data we collect can be found below in specific sections of this Privacy & Cookie Statement.


For which purposes we use the information we collect

We use your personal data solely for the purposes of processing your requests, to conduct our business, to develop analytics and aggregated data that allow us and our partners to improve our Site and related Services, recruitment-relating purposes or to correspond with you. Below is a summary of the channels through which information is currently collected on the Site including the type of personal data collected via each channel and how that data is used.


Legal ground for processing

We will only process your personal data if: (a) we have obtained your prior consent, (b) the processing is necessary to perform our contractual obligations or to take pre-contractual steps at your request, (c) the processing is necessary to comply with legal or regulatory obligations or (d) the processing is necessary for our legitimate interests.


Use of our website

When using our website to subscribe to press releases, register for clinical trial updates or merely to contact us, we may collect the following information: your name, e-mail address, company you work for and preferred language of communication, as well as other information that you choose to provide to us.



The Contact Page provides you with our office addresses, email addresses and telephone contact information should you wish to contact us. Other contact details can be found on our online reporting page or in the news section of the Site. By contacting us, you may provide us with personal data amongst other information in relation to your query or request. Based on the personal data you provide us, we may communicate with you in response to your inquiries, to provide the services you request. We will communicate with you by email or telephone, in accordance with your preference.


Job applications

In case you apply for a job opening or in case of a spontaneous job application, the following personal data can be processed for the job application procedure:

When you apply for a position via our website, we collect the following personal data to facilitate the entire job application procedure for recruiting-relating purposes. These recruitment-related purposes include:

Applicants must provide accurate and up to date information, and cannot knowingly omit any relevant information that is critical for the selection procedure. Job applicants that refuse to provide information that is required to assess suitability for the applied role, may be barred from the selection procedure, unless applicant has a justified reason for refusing to provide such information.

The Company may also collect your personal data from other sources if you would not apply for a position via our website, such as from e.g. recruitment agencies, professional social networks and former employers.

This information is then entered into our human resources database which is hosted on a server in the EEA. We also rely on external service providers such as Recruitee ( which allows applicants to submit applications through LinkedIn ( or Indeed ( Please be aware that these parties may also use cookies or similar technologies.

If you have not been successful for the position for which you have applied, you will be contacted via email and the personal data that was provided will be kept in the database to inform you about new positions that may be of interest to you, for a maximum of 2 years after the date of collection. Similarly, in case of a spontaneous application, your application will be kept for 2 years.


Business contacts

In case you are a business contact person for Galapagos, your personal data is used for business relationship management purposes such as maintaining the ongoing relationship with, e.g., our contractors, service providers, partners, consultants, etc. The personal data that is being used may include but is not limited to: your name, e-mail address, telephone number, organization related details, contact history, signature. This information may either be directly provided by you or by the organization you are related to.


Our customers

Our customer database includes individuals with whom we had previous business relations including but not limited to researchers that participated in clinical trials, Key Opinion Leaders, (former-) members of the advisory and scientific boards, contacts gathered at events, and individuals that have contacted Galapagos. The database also includes publically available contact information.

In case you are a customer or prospective customer of Galapagos, your personal data is used for business development purposes such as communication on the Services and related products, organization of focus-group discussions, market studies and others. The personal data that is being used may include but is not limited to: your name, e-mail address, telephone number, organization related details, contact history with Galapagos.


Data retention

Your personal data is kept for no longer than is necessary in relation to the purposes for which it is collected. We will frequently review the information we hold and when there is no longer a legal or business need for us to store it. In cases of clinical research information portals providing information on clinical research studies, your personal data will be removed once the portal is no longer live, or our Services are no longer being provided.

In order to protect the Company against any legal claims or to respond to potential inquiries, files may be stored in back-ups of the Company or in the archives in function of the applicable statutes of limitation. These archived copies will only be used if strictly required by the Company for the establishment, exercise or defense of legal claims and can, in such situations, be shared with legal advisors.


Your rights

You have the possibility to exercise your rights as described in the GDPR. As a data subject, you can exercise the following rights:

To exercise the above rights, you can contact Galapagos Data Protection Officer, After verifying your identity and data subject rights applicability criteria, we will do everything reasonably possible to comply with the request unless it will require completely unreasonable measures (e.g. technically or organizationally virtually impossible or extremely costly). We may refuse to process requests that are unreasonably repetitive or systematic.


Conditions under which we share information

Your personal data may be used by a parent, subsidiary, or affiliate entity within the Galapagos NV corporate family, partner entities, and the vendors and service agencies that we may engage to assist us. We will never pass your personal data to anyone else without your consent, except for (a) successors in title to our business, or (b) when required by law. We will share your personal data with providers only in the ways that are described in this Privacy Statement.

We do not sell, trade, or otherwise transfer to outside parties, personal data we collect from you without your consent, except in cases where we may share personal data for any Services that may be in effect from time to time, including, without limitation, the situations described below:


International transfers

For users residing in the European Economic Area, including the United Kingdom (“EEA”), the data that we collect from you may be transferred to, and stored at, a destination outside the EEA. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers.

If we do transfer data outside the EEA, we will ensure it is protected employing the following safeguards:


Information Security

We are committed to protecting the security and privacy of your information. We will use appropriate technical and organisational measures to restrict access to personal data to those of our employees, agents, contractors, or representatives who require access to such information to perform tasks assigned to them by us. All data gathered by our Services is stored by us in a secure, password-protected database. Only we and our third party processors, if any, have access to this database.

We will protect personal data provided to us by using reasonable security safeguards against loss, theft, unauthorized access, disclosure, copying, use, or modification. Although we and our third party processors implement standard security protections, we cannot guarantee the physical or electronic security of the servers and databases on which the Services are hosted. We require our partners who receive your information to agree to security requirements consistent with this Privacy Statement. If you create copies of information from the Services, we cannot protect the security and privacy of the information contained in such copies.


Cookies and Do Not Track

As is now common with most websites, our Site uses cookies to record certain information about your use of the Site. Cookies are small data files generated by a website and saved by your web browser. Any information obtained consequently is used on an anonymous, aggregated basis and you cannot be identified from it. You are not required to accept a cookie that we send to you and you can modify your browser’s settings so that it will not accept cookies. If you choose to disable cookies, you can do so specifically for the type of browser you use:

This table shows the type of cookies, the purposes for which they are used and their retention periods.

Cookie Name Purpose Retention period
(set by Google Analytics)
To help understand how visitors interact with the websites by providing information about the areas visited, the time spent on the website, and any issues encountered, such as error messages. This helps Us improve the performance of our websites. By default, this cookie is set to expire after 2 years
(set by Google Analytics)
This cookie is used to limit the collection of data when there is high traffic on the site. 10 minutes
(set by Google Analytics)
To store and group the session’s activity for each user. 25 hours
_PHPSESSID Temporarily saves the information of your session so that you do not need to fill the form again when you reload the page. When the browsing session ends.
_wfvt_ [ID of website] These contain information about your general geographic location. When the browsing session ends.
(set by the Wordfence Security WordPress plugin)
To protect the site against malicious attacks. 24 hours
_gat_gtag_[ID of website] Identification code of website for tracking visits 2 years
scf_cookielayer_storage Saves the information regarding the fact that you have agreed to the website's terms of use. 30 days


Third-party cookies

Certain cookies are placed by a third party, for example Google Analytics to measure the use of the website. These cookies are found in other companies’ internet tools which we use to enhance our site, for example LinkedIn and Twitter all have their own cookies, which are controlled by them. If you do not want a website to place cookies on your device, you can change the settings of your browser as abovementioned.

Our Site and Services currently do not respond to “Do Not Track” (DNT) signals.



This Site and our Services are not aimed at people under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take reasonable steps to remove such information from our systems and terminate the applicable account.


Changes to our Privacy Statement

From time to time, this Privacy Statement may be revised. Any changes to this Privacy Statement will be indicated through the mention of effective date and version number. Continued use of our sites after changes made to our Privacy Statement indicates your consent to the use of newly submitted information.



We reserve the right to disclose personal data in the following circumstances: as required by law; if we believe that disclosure is necessary to protect ours or others’ rights, property, or safety; to comply with a judicial proceeding, court order, or legal process served on us or the Services; or in connection with an actual or proposed corporate transaction or insolvency proceeding involving all or part of the business or assets to which the information pertains. By using the Services, you consent to having any personal data you provide to us transferred to and processed in the United States. BECAUSE SOME JURISDICTIONS DO NOT PERMIT CERTAIN LIMITATIONS OR DISCLAIMERS OF LIABILITY, THESE LIMITATIONS MAY NOT APPLY TO YOU.


For questions regarding this Privacy Statement, please contact:


2.Privacy Notice for Health Care Professionals

We Galapagos Biotech Limited “Galapagos”, “we,” or “us”) are committed to ensure the protection of personal data of all individuals who are currently collaborating with us, including Health Care Professionals (“HCPs” or “you”). Your personal data are handled and protected with the utmost care, in accordance with the requirements imposed by European and local data protection laws.

In this privacy notice we explain the principles that we apply, in our capacity as a controller, when we process HCPs personal data (“Privacy Notice”). It applies to all personal data that is collected and processed in any format, whether electronic or paper.

1. Our purposes, the personal data we collect and how long we keep it

We process your personal data for different purposes, all in the context of the professional relationship we have with you or we aim at having.

We usually collect personal data directly from you but we may obtain personal data such as your contact details from other sources such as IQVIA, public databases, social media platforms and other third parties.

We take adequate measures to ensure your personal data are not stored for longer than necessary to meet the below-mentioned purposes or as necessary in the context of a contract or a legal obligation.

For each purpose, we list here the legal basis, the categories of personal data concerned and the retention period of the personal data:

Purpose and legal basis

Categories of personal data concerned

Retention period

Relationship Management:

- know and understand your professional history and professional qualification;

- build your profile and get a better understanding of your expertise and topics of interest;

- determine the possibilities to enter into a business relationship with you or renewal of the existing relationship, or with the healthcare organization you work for;

- respond to your queries;

- share information with you that might interest you e.g. send you disease awareness information. We may notably send you electronic marketing emails, e.g. newsletters. Note that you can ask to stop receiving marketing emails at any time.

> Based on our legitimate interest to start and/or maintain a professional relationship with you and to provide you with as much useful information as possible on our company and our products

Identification data and contact details: e.g. name, address, e-mail, telephone number, nationality, date of birth, gender, preferred language;


Professional Information: e.g. description of your function, professional title, practice, level of expertise, knowledge of our products, specialism and identification number, including your profile on a social media platform;

Notes made during our meetings.


As long as there exists a professional relationship between us

Administration of invoices:

- meet our accountant tax duties and legal accounting obligations

> Necessary to comply with accounting legal obligations


Identification data and contact details;

Financial details: e.g. registration numbers, bank account number; invoices, tax and insurance information;


Transfer of Value details: e.g. contribution to costs related to educational events, registration fees, travel and accommodation expenses, fees for services, the funding and payment of research and development work.

As long as it is required by legal accounting obligations.

Organization of your attendance to fairs and events:

- organize your attendance to an event e.g. a meeting or manifestation, etc.

- organize travel and/or accommodation on your behalf.

> Based on our legitimate interest to organize your attendance to fair and events

Event details: e.g. time and date of the event, registration details and fees, other costs related to the event, passport details;

Travel and accommodation details:  e.g. travel and accommodation expenses and preferences, fees for services.

1 month after the event took place, except when applicable legislation obliges us to keep this data longer, then the retention period stated in the law.

Transfers of Value:

- record the amount of direct and indirect payments made to you.

This includes sponsorships.

> Necessary to comply with national legal obligations or;

> based on your consent. This depends on the legislation in your country of residence. If consent is required, your consent will be obtained accordingly

Identification data and contact details;

Transfer of Value details;

Financial details.

As long as it is required by national laws.

If the period is not defined by a national legal obligation, as long as necessary for us to comply with the ABPI Code of Practice (unless you withdraw your consent to this processing).

Clinical trials:

- if you are involved in conducting a clinical trial: to conduct clinical trials and to answer product complaints and adverse events.

> Necessary to ensure compliance with a legal obligation to keep clinical trial related data

Identification data and contact details;

Professional Information;

Your answers to product complaints and adverse events.

We will keep your information for 25 years after the end of the clinical trial as provided by the Clinical Trial Regulation.

Market Research and other activities:

- if you are involved in conducting studies/surveys: to conduct research studies/surveys on the commercialization of our products.

> Necessary to ensure compliance with pharmacovigilance laws or;

> Based our legitimate interest to collect information about the commercialization of our products.

Identification data and contact details;

Professional Information including the information and relationship with regard to an “adverse event”;


Your input for market research.

As long as it is required by pharmacovigilance laws.

If the period is not defined by a national legal obligation, we will try to de-identify your data if possible.

We believe that the above-mentioned purposes for processing your personal data are within anyone’s reasonable expectations. However, for all of the personal data we have collected in the aforementioned circumstances, we wish to make it clear that we will also process your personal data to: (a) comply with legal obligations or to comply, insofar we are legally allowed to do so, with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including competent data protection authorities; (b) inform a third party in the context of a possible merger with, acquisition from/by or demerger by that third party, even if that third party is located outside the EU, in which case we rely on our legitimate interest to engage in corporate transactions.

2. Accuracy

We take all appropriate steps to ensure that personal data are accurate, up to date and reliable for the purposes intended. Please be aware that you are partly responsible for the accuracy of your personal data. Should certain information we hold about you change, please notify us promptly.

3. Disclosure to third parties

We may obtain assistance or use third parties for the abovementioned purposes. These third parties will be required to process your personal data only in accordance with our instructions and to maintain reasonable security of such personal data. These third parties may include but are not limited to, as the case may be: payroll organization, social secretariat, National transfer of value disclosures data base (Disclosure UK) health insurance provider, group insurance provider, HR-system provider or another software supplier, cloud service solution provider, banking institution and an authorized medical entity. In addition, personal data may be disclosed to authorized persons dealing with claims and investigations, law enforcement authorities, legal advisors and public authorities if needed to comply with a request or for the establishment, exercise or defense of legal claims.

It may occur that data about you is shared within the Galapagos group of companies if this is necessary to achieve specific purposes. We take appropriate measures to ensure that all the entities of the Galapagos group are submitted to the same or equivalent data protection rules. If the entity is located outside the EEA and/or the UK, we will take the necessary measures to ensure the equivalent protection as within the EEA and/or the UK.

As a general rule, the data that we collect from you is not transferred outside the EEA and/or the UK. If we, in exceptional circumstances, do transfer data outside the EEA and/or the UK, we will ensure it is protected employing the following safeguards:

4. Security of processing

We acknowledge our responsibility to ensure an appropriate level of security with regard to your personal data. Therefore, we have implemented appropriate technical and organizational measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data.

5. Your rights

When we collect and use your personal data, you can exercise the following rights:

Unless specified otherwise above, you can exercise those rights by sending a request to After verifying your identity and applicability criteria, we will as a general rule, provide you with information on action taken within one month of receipt of the request.

6. Changes to this Privacy Notice

Changes to this Privacy Notice can be made from time to time, in accordance with European and local data protection laws. When we change the content of this Privacy Notice, we will change the date and version number of the ‘last update’ of this Privacy Notice.

7. Contact

If you have any questions or comments with regard to the contents of this Privacy Notice or if you want to exercise one of your rights in relation to the data processed by us, you can contact our Data Protection Office by sending an email to