Privacy Shield

DrugDev Inc. and its US subsidiaries Clinical Financial Services, LLC and Epernicus, LLC (“DrugDev”) recognize that the European Union (“EU”) has established strict protections regarding the handling of EU personal data under Directive 95/46/EC, including requirements to provide adequate protection for EU personal data transferred outside of the EU.  The U.S. Department of Commerce and the European Commission have agreed the Privacy Shield as a mechanism providing adequate protection for transfers to the US, on the basis of Privacy Shield Principles including the Supplemental Principles (the “Principles”).   DrugDev commits to subject to the Principles all personal data DrugDev receives from the EU in reliance on the Privacy Shield. 

DrugDev’s Privacy Shield certification can be found at https://www.privacyshield.gov/list. For more information about the Principles, please visit https://www.privacyshield.gov/welcome.

Definitions

The following terms are used throughout this Privacy Shield Policy and are defined here for clarification: 

  • “agent” means a third party that processes personal data on behalf of and under the instructions of DrugDev.
  • “controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “personal data” means any data, including sensitive personal data, about an identified or identifiable individual that are within the scope of Directive 95/46/EC,  received by DrugDev in the United States from the European Union, and recorded in any form.
  • “sensitive personal data” means personal data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life, together with any personal data received from a third party where the third party identifies and treats it as sensitive.

Scope

The following sections apply to the collection, use and disclosure by DrugDev, in reliance on the Privacy Shield, of personal data that are connected to prospective, current and former:  research subjects, patients, clinical investigators and staff, health care professionals, service providers and business partners, suppliers, officials and industry experts, all in support of DrugDev’s business in the field of clinical trials.

Notice

In circumstances other than those set out in the next paragraph, DrugDev supplies individuals with information mandated by the Principles. Such notice is provided when DrugDev first collects personal data, when individuals are first asked to provide personal data or in either case as soon thereafter as is practicable, but in any event before DrugDev uses such data for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party.

In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing appropriate notice to the individuals whose personal data are transferred to the U.S. and obtaining any requisite consent.

Choice

In circumstances other than those set out in the next paragraphs, DrugDev offers individuals the opportunity to choose (opt out) whether personal data may be (a) disclosed to a non-agent third party or (b) used for a purpose other than that for which the data were originally collected or subsequently authorized by the individual.

For sensitive personal data, DrugDev offers individuals an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual.

In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing the relevant individuals with certain choices with respect to the client’s use or disclosure of the individual’s personal data.

DrugDev may disclose personal data notwithstanding the foregoing (i) if it is required to do so by law or legal process, (ii) in response to lawful requests from public authorities, including to meet national security or law enforcement requirements, or (iii) when DrugDev believes disclosure is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity. DrugDev also reserves the right to transfer personal data in the event it sells or transfers all or a portion of its business or assets (including in the event of a reorganization, dissolution or liquidation).

Onward Transfers

In circumstances other than those set out in the next paragraph of this section, DrugDev will transfer personal data to third-party controllers in compliance with the Notice and Choice sections above, and enter a contract with the controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.  In circumstances other than those set out in the next paragraph of this section, DrugDev will transfer personal data to a third party acting as an agent only for limited and specified purposes after ascertaining that the agent is obligated to provide at least the same level of protection as is required by the Principles, and then monitor and take remedial action as required by the Principles.

In circumstances in which DrugDev obtains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for protecting individual rights with respect to onward transfers. 

Security

DrugDev takes reasonable and appropriate precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity and Purpose Limitation

DrugDev will only process personal data in a way that (i) is consistent with the purposes for which the data were collected or subsequently authorized by the individuals and limits personal data to that which is relevant (and to the extent necessary for those purposes, DrugDev will take reasonable steps to ensure that the data are accurate, complete, current and reliable for their intended use), or (ii) (where DrugDev is acting as a service provider) is in accordance with its clients’ or affiliates’ instructions.

Access

In circumstances other than those set out in the next paragraph of this section, DrugDev provides individuals with a reasonable opportunity to correct, amend or delete their personal data where the data are inaccurate. DrugDev may limit or deny access to personal data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles. The right to access personal data also may be limited in some circumstances by local law requirements.

In circumstances in which DrugDev maintains personal data as a service provider for its clients or affiliates, DrugDev’s clients or affiliates are responsible for providing individuals with access to their personal data and the right to correct, amend or delete the data where they are inaccurate. In these circumstances, individuals should direct their questions to the appropriate DrugDev client or affiliate. When an individual is unable to contact the appropriate DrugDev client or affiliate, or does not obtain a response, DrugDev will provide reasonable assistance in forwarding the individual’s request.

Recourse, Enforcement and Liability

DrugDev has agreed to participate in the dispute resolution program provided by the European Data Protection Authorities Panel and is also subject to the investigatory and enforcement powers of the Federal Trade Commission.  Further, an individual may seek the possibility, under certain circumstances, for binding arbitration to resolve a complaint.

In circumstances other than those set out in the next paragraph of this section, individuals may file a complaint concerning DrugDev’s processing of their personal data by contacting DrugDev as indicated below. If you are not satisfied with DrugDev’s handling of the complaint, contacts for the European Data Protection Authorities may be found here:  http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

In circumstances in which DrugDev obtained or maintains personal data about individuals as a service provider for its clients or affiliates, individuals may submit complaints concerning the processing of their personal data to the relevant client or affiliate, in accordance with the client’s or affiliate’s dispute resolution process. DrugDev will participate in this process at the request of the client or affiliate or the individual. DrugDev will take steps to remedy any issues arising out of its failure to comply with the Principles.

DrugDev shall be liable under the Principles if an agent processes personal information on its behalf in a manner inconsistent with the Principles, unless DrugDev proves that it is not responsible for the event giving rise to the damage.

How to Contact DrugDev

Please forward any questions about the way in which DrugDev uses personal data to: privacy@drugdev.com

Changes to This Policy

This Policy may be amended from time to time, consistent with the requirements of the Principles.

Last updated: September 2016