required to comply with the auditor attestation requirements of Section 404(b) of the Sarbanes-Oxley Act, (ii) we will be exempt from any rules that may be adopted by the Public Company Accounting Oversight Board requiring mandatory audit firm rotations or a supplement to the auditor’s report on financial statements, (iii) we will be subject to reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and (iv) we will not be required to hold nonbinding advisory votes on executive compensation or stockholder approval of any golden parachute payments not previously approved. As a result, our public filings may not be comparable to companies that are not “emerging growth companies”. We may remain an “emerging growth company” until the fiscal year-end following the fifth anniversary of the completion of our IPO, though we may cease to be an “emerging growth company” earlier under certain circumstances, including (i) if the market value of our common stock that is held by non-affiliates exceeds $700 million as of any June 30, in which case we would cease to be an “emerging growth company” as of the following January 1, (ii) the date on which we have issued more than $1.0 billion in non-convertible debt during the previous three years, or (iii) if our gross revenue exceeds $1.07 billion in any fiscal year. In addition, the JOBS Act provides that an emerging growth company can take advantage of an extended transition period for complying with new or revised accounting standards. This allows an emerging growth company to delay the adoption of certain accounting standards until those standards would otherwise apply to private companies. In addition, we qualify as a “smaller reporting company,” which allows us to take advantage of many of the same exemptions from disclosure requirements, including not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act and reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements. Even after we no longer qualify as an “emerging growth company,” we may still qualify as a “smaller reporting company” if the market value of our common stock that is held by non-affiliates is below $250 million (or $700 million if our annual revenue is less than $100 million) as of June 30 in any given year, which would allow us to continue to take advantage of these exemptions. Investors may find our common stock less attractive if we rely on these exemptions and relief granted by the JOBS Act. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may decline and/or become more volatile. Our data collection and processing activities are governed by restrictive regulations governing the use, processing and, in certain jurisdictions, cross-border transfer of personal information. We may be subject to European, UK, US federal, state, and foreign data protection laws and regulations (i.e., laws and regulations that address privacy and data security). We have personnel located in Ireland and have conducted and may in the future conduct clinical trials in the European Union ("EU") and/or the United Kingdom (“UK”) subjecting us to additional privacy restrictions and data protection requirements. The collection and use of personal health data in the EU are governed by the provisions of the General Data Protection Regulation ("GDPR"), as well as other national data protection legislation in force in relevant Member States (including the UK GDPR and the Data Protection Act 2018 in the UK). These laws impose a broad range of strict requirements on companies subject to the GDPR, such as including requirements relating to having legal bases for processing personal data relating to identifiable individuals and transferring such information outside the European Economic Area, or EEA (or in the case of the UK GDPR, outside of the UK), providing details to those individuals regarding the processing of their personal data, implementing safeguards to keep personal data secure, having data processing agreements with third parties who process personal data, providing information to individuals regarding data processing activities, responding to individuals’ requests to exercise their rights in respect of their personal data, obtaining consent of the individuals to whom the personal data relates, reporting security and privacy breaches involving personal data to the competent national data protection authority and affected individuals, appointing data protection officers, conducting data protection impact assessments, and record-keeping. The GDPR may impose additional responsibility and liability in relation to personal data that we process and we may be required to put in place additional mechanisms ensuring compliance with the new data protection rules. This may be onerous and adversely affect our business, financial condition, results of operations and prospects. Although the UK is regarded as a third country under the EU’s GDPR, the European Commission has now issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. To enable the transfer of personal data outside of the EEA or the UK, adequate safeguards must be implemented in compliance with European and UK data protection laws. On June 4, 2021, the EC issued new forms of standard contractual clauses for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). The new standard contractual clauses replace the standard contractual clauses that were adopted previously under the EU Data Protection Directive. The UK is not subject to the European Commission’s new standard contractual clauses but has published a draft version of a UK-specific transfer mechanism, which, once finalized, will enable transfers from the UK. Following a ruling from the Court of Justice of the European Union, in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), Case C-311/18 (“Schrems II”), companies relying on standard contractual clauses to govern transfers of personal data to third countries (in particular the United States) will need to assess whether the data importer can ensure sufficient guarantees for safeguarding the personal data under GDPR. This assessment includes assessing whether third party vendors can also ensure these guarantees. We will be required to implement these new safeguards when conducting restricted data transfers under the EU and UK GDPR and doing so will require significant effort and cost. 74
RkJQdWJsaXNoZXIy NTIzOTM0