DrugDev Inc. and its US subsidiaries SecureConsent, LLC, Clinical Financial Services, LLC and Epernicus, LLC (“DrugDev”) recognize that the European Union (“EU”) and Switzerland have established strict protections regarding the handling of personal data under the EU Directive 95/46/EC and Swiss Federal Act on Data Protection (“FADP”), including requirements to provide adequate protection for personal data transferred outside of the EU and Switzerland. The U.S. Department of Commerce has agreed with the European Commission and the Swiss Administration respectively the Privacy Shield as a mechanism providing adequate protection for transfers to the US, on the basis of Privacy Shield Principles including the Supplemental Principles (the “Principles”). DrugDev commits to subject to the Principles all personal data DrugDev receives from the EU and Switzerland in reliance on the Privacy Shield.
The following terms are used throughout this Privacy Shield Policy and are defined here for clarification:
- “agent” means a third party that processes personal data on behalf of and under the instructions of DrugDev.
- “controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “personal data” means (as regards transfers from the EU) any data, including sensitive personal data, about an identified or identifiable individual that are within the scope of Directive 95/46/EC, received by DrugDev in the United States from the European Union, and recorded in any form, and (as regards transfers from Switzerland) any data, including sensitive personal data, about an identified or identifiable individual that are within the scope of the FADP, received by DrugDev in the United States from Switzerland, and recorded in any form.
- “sensitive personal data” means (as regards transfers from the EU) personal data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life, together with any personal data received from a third party where the third party identifies and treats it as sensitive, and (as regards transfers from Switzerland) personal information specifying medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
The following sections apply to the processing by DrugDev, in reliance on the Privacy Shield, of personal data that are connected to prospective, current and former: research subjects, patients, clinical investigators and staff, health care professionals, service providers and business partners, suppliers, officials and industry experts, all in support of DrugDev’s business in the field of clinical trials.
In circumstances other than those set out in the next paragraph, DrugDev supplies individuals with information mandated by the Principles. Such notice is provided when DrugDev first collects personal data, when individuals are first asked to provide personal data or in either case as soon thereafter as is practicable, but in any event before DrugDev uses such data for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party.
In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing appropriate notice to the individuals whose personal data are transferred to the U.S. and obtaining any requisite consent.
In circumstances other than those set out in the next paragraphs, DrugDev offers individuals the opportunity to choose (opt out) whether personal data may be (a) disclosed to a non-agent third party or (b) used for a purpose other than that for which the data were originally collected or subsequently authorized by the individual.
For sensitive personal data, DrugDev offers individuals an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual.
In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing the relevant individuals with certain choices with respect to the client’s use or disclosure of the individual’s personal data.
DrugDev may disclose personal data notwithstanding the foregoing (i) if it is required to do so by law or legal process, (ii) in response to lawful requests from public authorities, including to meet national security or law enforcement requirements, or (iii) when DrugDev believes disclosure is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity. DrugDev also reserves the right to transfer personal data in the event it sells or transfers all or a portion of its business or assets (including in the event of a reorganization, dissolution or liquidation).
In circumstances other than those set out in the next paragraph of this section, DrugDev will transfer personal data to third-party controllers in compliance with the Notice and Choice sections above, and enter a contract with the controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. In circumstances other than those set out in the next paragraph of this section, DrugDev will transfer personal data to a third party acting as an agent only for limited and specified purposes after ascertaining that the agent is obligated to provide at least the same level of protection as is required by the Principles, and then monitor and take remedial action as required by the Principles.
In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for protecting individual rights with respect to onward transfers.
DrugDev takes reasonable and appropriate precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation
DrugDev will only process personal data in a way that (i) is consistent with the purposes for which the data were collected or subsequently authorized by the individuals and limits personal data to that which is relevant (and to the extent necessary for those purposes, DrugDev will take reasonable steps to ensure that the data are accurate, complete, current and reliable for their intended use), or (ii) (where DrugDev is acting as a service provider) is in accordance with its clients’ or affiliates’ instructions.
In circumstances other than those set out in the next paragraph of this section, DrugDev provides individuals with a reasonable opportunity to correct, amend or delete their personal data where the data are inaccurate. DrugDev may limit or deny access to personal data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles. The right to access personal data also may be limited in some circumstances by local law requirements.
In circumstances in which DrugDev maintains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing individuals with access to their personal data and the right to correct, amend or delete the data where they are inaccurate. In these circumstances, individuals should direct their questions to the appropriate DrugDev client or affiliate. When an individual is unable to contact the appropriate DrugDev client or affiliate, or does not obtain a response, DrugDev will provide reasonable assistance in forwarding the individual’s request.
Recourse, Enforcement and Liability
DrugDev has agreed to participate in the dispute resolution programs provided by the European Data Protection Authorities Panel and the Swiss Federal Data Protection and Information Commissioner respectively and is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Further, an individual may seek the possibility, under certain circumstances, for binding arbitration to resolve a complaint.
In circumstances other than those set out in the next paragraph of this section, individuals may file a complaint concerning DrugDev’s processing of their personal data by contacting DrugDev as indicated below. If you are not satisfied with DrugDev’s handling of the complaint, contacts for the European Data Protection Authorities may be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm and contacts for the Swiss Federal Data Protection and Information Commissioner may be found here: https://www.edoeb.admin.ch/kontakt/index.html?lang=en.
In circumstances in which DrugDev obtained or maintains personal data about individuals as a service provider for its clients or affiliates, individuals may submit complaints concerning the processing of their personal data to the relevant client or affiliate, in accordance with the client’s or affiliate’s dispute resolution process. DrugDev will participate in this process at the request of the client or affiliate or the individual. DrugDev will take steps to remedy any issues arising out of its failure to comply with the Principles.
DrugDev shall be liable under the Principles if an agent processes personal information on its behalf in a manner inconsistent with the Principles, unless DrugDev proves that it is not responsible for the event giving rise to the damage.
How to Contact DrugDev
Please forward any questions about the way in which DrugDev uses personal data to: firstname.lastname@example.org
Changes to This Policy
This Policy may be amended from time to time, consistent with the requirements of the Principles.
Last updated: March 2018