Supplemental Notice to European Economic Area (“EEA”)/United Kingdom (“UK”) Data Subjects

European Union (“EU”) Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “EU GDPR”) and the Retained Regulation (EU) 2016/679 (“UK GDPR”) (collectively the “GDPRs”), require Kymera Therapeutics, Inc. (“Kymera”, “We”, “Our”, or “Us”) as the data controller of “personal data” to provide additional information to Data Subjects in the EEA or the UK about the processing of their personal data. If you are a Data Subject within the EEA or UK, this Supplemental EEA/UK Privacy Policy applies to you in addition to the provisions of Kymera’s Privacy Policy.

1. How We Use Your Personal Data

We will only use your personal data when the law allows us to do so.

We have set out below, in a table format, a description of all the ways we currently plan to use your personal data, and which of the legal bases we rely upon to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need additional details about the specific legal basis we are relying on to process your personal data where more than one basis has been set out in the table below.

Purpose/Activity

Category of personal data

Lawful basis for processing

To engage you as a new vendor or other service provider, contractor, or consultant (a) Identity
(b) Contact
(a) Performance of a contract with you
(b) Necessary for our legitimate interests
To interact with consultants, vendors, and service providers including by:
(a) Managing payments, fees, and charges
(b) Collecting and recovering money owed to us
(a) Identity
(b) Contact
(c) Financial / Transaction
(d) Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests
To manage our relationship with you which will include:
(a) Asking you to provide feedback or take a survey
(b) Other communications as a contractor
(c) Responding to your requests
(a) Identity
(b) Contact
(c) Technical and Usage Data
(d) Communications
(e) Financial / Transaction
(f) Applicant, Professional and Employment Related
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests
To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data) (a) Identity
(b) Contact
(c) Technical and Usage
(a) Necessary for our legitimate interests
(b) Necessary to comply with a legal obligation
To recruit and discuss employment and consulting opportunities (a) Identity
(b) Contact
(c) Communications
(d) Applicant, Professional and Employment related
(a) In accordance with your consent
To deliver relevant website content and communications to you and to understand the effectiveness of our communications activities (a) Identity
(b) Contact
(c) Technical and Usage
(d) Communications
(a) Necessary for our legitimate interests
To use data analytics to improve the Website, products, services, offerings, communications, customer or visitor relationships and experiences (a) Technical and Usage (a) Necessary for our legitimate interests
To monitor pharmacovigilance, safety, and quality of our products (a) Identity
(b) Contact
(c) Financial / Transaction
(d) Special Categories (health data)
(a) Necessary for our legitimate interests
(b) Necessary for reasons of public interest in the area of public health

2. Change Of Purpose

We will only use your personal data for the purposes for which we collected it, unless we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3. International Transfers

We are based outside the EEA and the UK in the United States of America, so the processing of your personal data may involve a transfer of data outside the EEA or the UK.

Whenever we transfer your personal data out of the EEA or UK, we ensure a similar degree of protection is afforded to it by ensuring appropriate data transfer mechanisms.

4. How Long We Retain Your Personal Data

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

5. Your Legal Rights

This section provides information on the rights that you have under EEA or UK law in relation to your personal data. Under certain circumstances, individuals located in the EEA or UK have the following data protection rights:

  • To access their personal data;
  • To correct their personal data;
  • To erase their personal data;
  • To object to the processing of their personal data;
  • To restrict the processing of their personal data;
  • To transfer their personal data;
  • To not be subject to a decision based solely on automated processing, including profiling; and
  • To withdraw any consent that they have previously provided for the processing of their personal data.

To exercise any of the rights described above, please contact us using our contact information listed in Section 1 of our Privacy Policy (“How to Contact Us”). As we work to process your request, we may need to request additional information from you, either to confirm your right to access your data (as a security measure) or as it relates to your request. Further, we may charge a reasonable fee or refuse to comply if it is clearly unfounded, repetitive or excessive.

For advice or to make a complaint, you can also contact the applicable Supervisory Authority within the EEA at this link (https://edpb.europa.eu/about-edpb/board/members_en) or the Information Commissioner’s Office within the UK at this link (https://ico.org.uk/make-a-complaint/).

*****

Supplemental Notice to EEA/UK Data Subjects Last Revised: November 17, 2023