Clinipace Privacy Statement

Overview of Clinipace

As a global full-service contract research organization (CRO), Clinipace Inc., a global company headquartered in the United States and its Affiliates (“CLINIPACE”) serve the unique needs of venture-backed, mid-tier and strategic pharmaceutical, biotechnology and medical device firms, helping them advance drug candidates to deliver successful stakeholder and patient outcomes.  The company leverages extensive therapeutic knowledge, clinical trial expertise, and innovative technology to support life science firms in achieving some of their most important goals: Executing regulatory strategies, optimizing clinical development timelines and completing high quality trials.

Clinipace has completed more than 1,500 clinical trials and 1,500 regulatory and statistical consulting projects and operates in North America, South American, Europe, and Asia.

Definitions

  1. Affiliates: means the list of entities in Exhibit A of the Information Notice (see below links).
  2. Controller: means a person or entity which, alone or jointly, determines the purposes and means of Processing Personal Data of a Data Subject.
  3. Data Subject: an identified or identifiable person who has provided Personal Data.
  4. HR Personal Data: Personal Data of employees and contractors.
  5. Personal Data: are identifiable data recorded in any form about a Data Subject, which may include identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
  6. Process/Processing/Processed: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  7. Processor: a person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
  8. Sensitive Personal Data: Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the Data Subject.

Scope.

This Privacy Policy Statement (“Privacy Statement”) describes how CLINIPACE Processes Personal Data of European and Swiss Data Subjects in compliance with the principles outlined in the EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (collectively “Privacy Shield”) as set forth by the Department of Commerce (collectively the “Principles”). If there is any conflict between the policies in this Privacy Statement and the Principles, the Principles shall govern.

Limitations On Scope.                                                                                                                     

Adherence to this Privacy Statement may be limited to the extent required by law, regulations or other governmental obligations, and CLINIPACE reserves the right to share  a Data Subject’s Personal Data as required or authorized by law or regulation or requested by governmental authorities. In accordance with applicable privacy laws, this Privacy Statement may not apply or may be limited to Processing activities necessary for the performance of a contract between the Data Subject and CLINIPACE.

Self Certification.

CLINIPACE has certified that it is complies to both the Privacy Shield Principles of: 1) notice, 2) choice, 3) accountability for onward transfer, 4) security, 5) data integrity and purpose limitation, 6) access, and 7) recourse, enforcement and liability (the “Principles”) in regard to the Processing of “Personal Data” of Data Subjects transferred from European Union and Switzerland to the United States.  For a more detailed explanation on the rights and obligations described under the Principles please refer to Exhibit B of the Privacy Statement.

CLINIPACE has also certified that it agrees to cooperate and comply with 1) applicable EU and Swiss Data Protection Authority with regard to the Processing of HR Personal Data and 2) the Federal Trade Commission with regard to the Processing all other Personal Data. CLINIPACE acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield.

 CLINIPACE Data Processing Activities / Information Notices.                         

In the course of conducting its day to day activities CLINIPACE may Process the Personal Data of different Data Subjects. For some Processing activities CLINIPACE may act as Controller and other times CLINIPACE may act as a Processor at the direction of its client.

CLINIPACE acts as a:

  1. Controller in terms of Personal Data that is Processed from its employees, contractors, web users, clients, and certain vendors; and
  2. Processor on behalf of its Controller clients in terms of Processing Personal Data from clinical study site staff and certain vendors.

CLINIPACE collects and stores:

  1. HR Personal Data from CLINIPACE’s employees and contractors (past and present) collected in the context of the employment relationship necessary for personnel administration and the performance of CLINIPACE clinical study and legal/regulatory obligations;
  2. vendor and client Personal Data for purposes of providing client services;
  1. web user Personal Data for marketing and general informational purposes;
  2. clinical study site staff Personal Data for purposes of regulatory compliance and for fulfilling CLINIPACE clinical study and legal/regulatory obligations; and
  3. key coded clinical subject data for purposes of fulfilling CLINIPACE’s clinical study obligations.

Note on Clinical Trial Subject Data:  Under the Privacy Shield, key-coded data is not considered protected Personal Data if the company does not receive the key. It is CLINIPACE’s policy to only receive key coded clinical subject data. In the event that CLINIPACE comes in contact with un-redacted clinical trial Personal Data, CLINIPACE will adhere to the Principles with respect to the Processing of such Personal Data.                                                                         

 Information Notices.

Under the Notice Principle, CLINIPACE is obligated to provide notification regarding the use, processing, transfer, and retention of a Data Subject’s Personal Data as well as his/her request and recourse rights under the Principles. CLINIPACE’S Information Notice for Non-HR Personal Data is attached as Exhibit C.  CLINIPACE’S Information Notice for HR Personal Data is located at \\clinipace.net\dfs\HR\Public.

Note to Clinical Trial Subjects. For clinical trial subjects enrolled in CLINIPACE participating trials, please reach out to the institutional/investigator contact indicated on your clinical subject Informed consent form for all privacy related inquiries and/or complaints.                                                                   

Please go to Exhibit B Section 1 for more information on this topic.

Recourse, Enforcement and Liability.

In compliance with the Principles, CLINIPACE commits to resolve complaints about our Processing activities with respect to the Personal Data of European and Swiss Data Subjects. CLINIPACE has also committed to refer unresolved complaints, at no cost to the Data Subject, to 1) the International Centre for Dispute Resolution, the global component of the American Arbitration Association, which is an independent recourse mechanism establish in the United States (“IDCR/AAA”) (to submit a claim or learn more go to: http://info.adr.org) for non-HR Personal Data and 2) by the applicable national Data Protection Agency of where the Data Subject works for HR Personal Data. CLINIPACE commits to cooperate with the panel established by the EU and Swiss Data Protection Authorities (“Panel”) and comply with the advice given by the Panel with regard to HR Personal Data transferred from the European Union or Switzerland (in the context of the employment relationship). The Data Subject also has the right to complain directly to the Department of Commerce and the EU and/or Swiss Data Protection Authority. If a Data Subject’s complaint is still not resolved by the mechanisms above, in some instances, the Data Subject has the right to invoke binding arbitration.

Please go to Annex 1 of the Privacy Shield Principles for more information at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

For European and Swiss Data Subject inquiries, requests, or complaints, please click on the appropriate Information Notice web link above and follow the “Clinipace Dispute Resolution Mechanism Process” outlined in the appropriate Information Notice.  

In the context of onward transfer, a Privacy Shield organization has responsibility for the Processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Any CLINIPACE staff in violation of this Privacy Statement will be subject to disciplinary action up to and including termination of employment, where applicable.

Please go to Exhibit B Section 7 for more detailed information on this topic.

Effective Date.

This Privacy Statement shall become effective 30 September 2016. Please refer to www.clinipace.com for the most recent version of this Privacy Statement.

Privacy Statement Changes.

This Privacy Statement may be reviewed and amended from time to time, without advance notice, consistent with the requirements of the Principles, to ensure that an appropriate level of protection for Personal Data is maintained.

All amendments will be posted on the following website: www.clinipace.com.
A notice will be posted on the www.clinipace.com website for sixty (60) days if there is a material amendment to this Privacy Statement.

Additional Links.

CLINIPACE’s Privacy Shield Certification and more information about Privacy Shield can be found at https://www.privacyshield.gov.

 EXHIBIT A

 LIST OF CLINIPACE AFFILIATES

Accovion Sp.z o.o. (Poland)

Accovion s.r.o (Czech Republic)

Accovion S.r.l. (Romania)

Accovion SARL (France)

Accovion S.R.L. (Italy)

Accovion S.L. (Spain)

Accovion LLC (Ukraine)

Accovion Ltd. (UK)

Accovion GmbH (Germany)

Clinipace Global, Ltd. (UK)

Clinipace A.G. (Switzerland)

Clinipace KK (Japan)

Clinipace Korea Ltd. (South Korea)

Choice Pharma Taiwan Co. Ltd. (Taiwan)

Choice Pharma Asia SDN. BHD (Malaysia)

Clinipace Australia Limited Pty. (Australia)

Clinipace Clinical Research Private Limited (India)

Choice Pharma, (HK) Limited (Hong Kong)

Choice Pharma Medical Information Consultancy (Shanghai) Co. Ltd. (China)

Choice Pharma Asia Pacific Pte. (Singapore)

Clinipace GmbH (Germany)

Paragon Biomedical, Inc. (USA)

Paragon Biomedical, Ltd. (UK)

Paragon Biomedical Poland sp.  zo.o. (Poland)

Regulus Pharmaceutical Consulting, Inc. (USA)

Worldwide Clinical Research, Inc. (USA)

Worldwide Clinical Research Del Peru SAC (Peru) 

EXHIBIT B

DETAILED EXPLANATION OF THE RIGHTS AND OBLIGATIONS UNDER THE PRIVACY SHIELD PRINCIPLES

  1. Notice

To ensure compliance with the Principals, CLINIPACE must provide all of its Data Subjects with appropriate notice, in clear and conspicuous language, regarding the use, processing, transfer, and retention of its Personal Data when the Data Subject is first asked to provide Personal Data to CLINIPACE or as soon thereafter as is practicable, but in any event before CLINIPACE uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

The information contained in the notification shall include:

a. Clinipace’s participation in Privacy Shield;

b. the types of Personal Data CLINIPACE and its entities and subsidiaries collects;

c. Clinipace’s commitment to Data Subject to the Principles all Personal Data received from the EU and Switzerland in reliance on the Privacy Shield;

d. the purposes for which CLINIPACE collects and uses Personal Data about them;

e. how to contact CLINIPACE with any inquiries or complaints, including any relevant establishment in the EU and Switzerland that can respond to such inquiries or complaints;

f. the type or identity of third parties to which CLINIPACE discloses Personal Data, and the purposes for which CLINIPACE does so;

g. the right of the Data Subject to access their Personal Data, subject to limitations provided in Privacy Shield;

h. the choices and means CLINIPACE offers Data Subjects for limiting the use and disclosure of their Personal Data;

i. the independent dispute resolution body CLINIPACE has designated to address Data Subject complaints and provide appropriate recourse free of charge to the Data Subject and designate whether the independent dispute resolution body is: (i) a panel established by DPAs, (ii) an alternative dispute resolution provider based in the EU or Switzerland, or (iii) an alternative dispute resolution provider based in the United States;

j. which investigatory and enforcement powers CLINIPACE is subject;

k. the possibility, under certain conditions, for the Data Subject to invoke binding arbitration;

l. CLINIPACE’s requirement to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and

m. CLINIPACE’s liability in cases of onward transfers to third parties.

Please refer to the applicable CLINIPACE Information Notice detailing the information required to be provided under subsections a through m above.          

            

  1. Choice

To remain compliant with the Principals, Data Subjects have the opportunity to choose (opt out) whether their Personal Data is:

a. Is disclosed to a third party that is not acting as an agent to perform tasks on behalf of CLINIPACE and does not have a contract with CLINIPACE for such tasks

                                               or

b. Is used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subject.

If the Data Subject wishes to ‘opt out’, the Data Subject must contact CLINIPACE using the means of communication outlined in the Information Notice.

For Sensitive Personal Data CLINIPACE will obtain affirmative express consent (opt in) from Data Subjects if such information is to be

a. disclosed to a third party

                or

b. used for a purpose other than those for which it was originally collected or subsequently authorized by the Data Subject through the exercise of opt-in choice.

CLINIPACE treats as sensitive any Personal Data received from a third party where the third party identifies and treats such Personal Data as sensitive.

  1. Accountability for Onward Transfers

 

CLINIPACE transfers Personal Data to a third party, acting as a Controller, in conformance with the Principals of Notice and Choice.  CLINIPACE will enter into a contract with any third-party controller which will provide that:

a. such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the Data Subject;

b. the recipient third party will provide the same level of protection as the level of protection afforded in the Principles; and

c. the recipient third party will notify CLINIPACE if it determines it can no longer meet this obligation and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies.

CLINIPACE will only transfer personal data to a third party acting as CLINIPACE’s agent if:

a. CLINIPACE’s Personal Data transfer to the third party agent is only for limited and specified purposes;

b. CLINIPACE ascertains that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;

c. CLINIPACE takes reasonable and appropriate steps to ensure that the third party agent effectively processes the Personal Data transferred in a manner consistent with CLINIPACE’s obligations under the Principles;

d. CLINIPACE requires that the third party agent notify CLINIPACE if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies; and

e. CLINIPACE provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Federal Trade Commission or other applicable regulatory body upon request.

Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE handles third party transfers.                        

  1. Security                    

CLINIPACE takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved with the processing and nature of the Personal Data.

 Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE ensures security of the Personal Data.                                        

  1. Data Integrity and Purpose Limitation

 CLINIPACE’s collection, use, processing and retention of the Personal Data is limited to the information that is relevant for the purposes of processing (“Purpose”). CLINIPACE will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.

To the extent necessary for those purposes, CLINIPACE takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

CLINIPACE adheres to the Principles for as long as it retains the Personal Data.
Personal Data is retained in a form identifying or making identifiable the Data Subject only for as long as it serves the Purpose, provided that CLINIPACE may retain the Personal Data for longer periods of time if permitted by the Principles such as serving customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, adherence to other laws such as FDA or other applicable regulatory authority rules and/or regulations, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
Please refer to the applicable CLINIPACE Information Notice for more information on the purposes by which CLINIPACE processes Personal Data and the applicable data retention requirements. 

  1. Access

Upon request, CLINIPACE will provide Data Subjects access to its Personal Data that CLINIPACE holds.

The Data Subject can request that CLINIPACE correct, amend, or delete inaccurate Personal Data or Persona Data that is processed in violation of the Principles, provided that the burden or expense of providing access is not disproportionate to the risks to the Data Subject’s privacy or where the rights of other Data Subjects would be violated if access was granted.           

Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subject can request his/her access rights.                   

  1. Recourse, Enforcement and Liability

a. Compliance Mechanisms:

CLINIPACE has implemented internal, self-assessment procedures for conducting random audits of its privacy practices to ensure that such practices are in compliance with this Privacy Statement.  In the event that CLINIPACE becomes aware that its policies/processes are not compliant with the Principles, CLINIPACE will promptly remedy the problem by modifying its applicable policies and/or procedures (including this Privacy Statement) accordingly to ensure compliance.

CLINIPACE has also trained its employees to ensure compliance with its privacy obligations under the Principles. Any employee or contractor that CLINIPACE determines is in violation of this Privacy Statement will be subject to mandatory re-training and/or disciplinary action, up to and including termination.

In the event of a privacy related issue or complaint CLINIPACE will cooperate with and promptly respond to inquiries and requests from

  • the Applicable EU Agency or the Swiss Federal Data Protection and Information Commission, as applicable, for HR related privacy concerns/complaints; and
  • the FTC, Department of Commerce and Third Party Dispute Contact identified in the Information Notice for all other privacy concerns/complaints.

CLINIPACE will investigate and/or resolve any concern, complaint or question (“Issue(s)”) in accordance with this Privacy Statement. CLINIPACE employees, contractors or applicable external parties will direct any Issue(s) arising from the use or disclosure of Personal Information to the CLINIPACE.

b. Data Subject Recourse Mechanisms.

The Data Subject has a number of recourse mechanisms in the event of a data privacy issue such as:

  • the right to complain to CLINIPACE regarding his/her data privacy issue in which CLINIPACE must respond to the Data Subject’s complaint within forty five (45) of receipt of the complaint;
  • the right to a cost-free independent dispute resolution mechanism to address non-HR related privacy complaints, which for CLINIPACE if the complaint remains unresolved by CLINIPACE;
  • the right to complain to the applicable data protection authority in the Data Subject’s country of origin or the FTC for data privacy concerns, if the complaint remains unresolved by CLINIPACE; and
  • the ability to invoke binding arbitration in accordance with the rules set forth under Annex 1 of the Privacy Shield Framework to address any complaint regarding a violation of CLINIPACE’s obligations under the Privacy Shield Principles if the Data Subject’s complaint has not been resolved by any of the other means described above.

If the Data Subject has invoked binding arbitration, CLINIPACE will follow the rules set forth in Annex 1 of the Privacy Shield Framework.

Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subjects can submit privacy complaints.

       c. CLINIPACE Consequences for Non-Compliance

  1. CLINIPACE is potentially liable if a third party acting as an agent on CLINIPACE’s behalf transfers or processes Personal Data in violation of the Principles.
  2. If CLINIPACE becomes subject to an FTC or court order based on non-compliance, CLINIPACE shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
  3. CLINIPACE may be subject to monetary damages if the Data Subject is awarded damages under binding arbitration.
  4. CLINIPACE may be subject to sanctions or exclusion from participating in either the EU-US or Swiss Privacy Shield program if the Department of Commerce deems the violation warrants such sanctions or exclusion. If CLINIPACE is excluded from participating in the EU-US or Swiss Privacy Shield Program, CLINIPACE may be required to return or delete the Personal Data it received under the EU-US or Swiss Privacy Shield.

8. HR Data Supplemental Principles.

Privacy Shield provides additional principles with respect to HR Personal Data (“HR Principles”). CLINIPACE agrees to adhere to the HR Principles as outlined below.

a. Coverage by the Privacy Shield

CLINIPACE agrees that before transfers of European and Swiss HR Personal Data to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield are made that CLINIPACE will ensure that 1) the collection and/or processing of the HR Personal Data prior to transfer was done in accordance with national laws of the country where the HR Personal Data was collected, and 2) any conditions for or restrictions on its transfer according to those laws are respected.

b.  Application of the Notice and Choice Principles

  1. CLINIPACE may disclose European and Swiss HR Personal Data of its employees and contractors it to third parties or use it for different purposes than the purpose indicated from the original collection of the HR Personal Data, but only if CLINIPACE provides the affected Data Subjects with adequate notice and choice purpose (in accordance with the Principles) to transfer and/or use the HR Personal Data for a new purpose.
  2. CLINIPACE’s desired new use must not be incompatible with the original purposes for which the HR Personal Data has been collected or subsequently authorized by the Data Subject. Notice and choice requirements to the employee/contractor Data Subject is not required to the extent and for the period necessary to avoid prejudicing the ability of CLINIPACE to make decisions on promotions, appointments, or other similar employment decisions.
  3. CLINIPACE may not restrict employment opportunities or take any punitive action against any of its employee/contractor Data Subjects if the Data Subject does not consent to the new use or transfer. Upon written request, CLINIPACE will make reasonable efforts to accommodate employee/contractor Data Subject privacy preferences.
  4. CLINPACE acknowledges that certain generally applicable conditions for transfer of HR Personal Data from Switzerland or some European Member States may preclude other uses of such HR Personal Data even after transfer outside of Switzerland or the European Union.

 c. Application of the Access Principle

CLINIPACE will comply with local regulations with respect to the Processing of HR Personal Data and shall ensure that Swiss and European Union employee/contractor Data Subjects have access to HR Personal Data, if such access is required by law in their home countries, regardless of the location of data processing and storage.

 d. Enforcement

  1. CLINIPACE understands that the primary responsibility for European HR Personal Data remains with the organization residing in Europe and the primary responsibility for Swiss HR Personal Data remains with the organization residing in Switzerland.
  2. CLINIPACE shall refer Swiss and European employee/contractor Data Subjects to the local Data Protection Authority where he/she works when the Data Subject is not satisfied with CLINIPACE’s handling of his/her HR Personal Data complaint or the end result of the complaint.
  3. CLINIPACE agrees to cooperate with competent EU and Swiss authorities in its investigations regarding the Processing of HR Personal Data by and agrees to comply with the advice of such competent EU and Swiss authorities.

 

b. Application of the Accountability for Onward Transfer Principle

CLINIPACE acknowledges that HR Personal Data transfers to a third party Controller for occasional employment-related operational needs (i.e. booking a flight, hotel room, or insurance coverage) or transfers involving of a small number of employees can take place without having to grant access under Section 8(c) or entering into a contract with the third-party Controller, as long as CLINIPACE adheres to the notice and choice requirements under Section 8(b).

EXHIBIT C

I  DATA PRIVACY INFORMATION NOTICE – NON-HR DATA

As a web user or business partner (“You” or “Your”) to Clinipace, Inc. and/or its Affiliates (as defined in Exhibit A of the Privacy Statement) (collectively “CLINIPACE” or “Us” or “We” or “Our”), You may provide Personal Data (as defined below) to Us in order for Us to fulfil Our legal, compliance and/or client service obligations.

CLINIPACE has certified under the EU-US Privacy Shield Framework and Swiss Privacy Shield Framework (collectively “Privacy Shield”) that We commit to adhere to the principles of: 1) notice, 2) choice, 3) accountability for onward transfer, 4) security, 5) data integrity and purpose limitation, 6) access, and 7) recourse, enforcement and liability in regard to the Processing (as defined below) of Personal Data from the European Union and Switzerland to the United States (“Principles”).

CLINIPACE has also certified that it agrees to cooperate and comply with the Federal Trade Commission regulations with regard to the Processing of European and Swiss Personal Data of Our clients, vendors, web users, clinical trial subjects and clinical study institution staff).

CLINIPACE also agrees to adhere to all applicable data protection laws and regulations including but not limited to European Commission Directive 2016/680, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, by May 25, 2018, and other local data protection laws where CLINIPACE or its Affiliates reside or conduct business (collectively “Local Privacy Laws”).

Collectively the “Principles” and “Local Privacy Laws” shall be referred to herein as “Privacy Obligations”.

For purposes of this Information Notice:

  1. Personal Data” includes any data which can be used to identify You including Your identification number, location data, online identifier or one or more factors specific to Your physical, physiological, genetic, mental, economic, cultural or social identity including for example “Sensitive Data” (as defined below);
  2. Sensitive Personal Data” includes information related to racial or ethnic origin, political or religious beliefs, trade union membership, health, sexuality or sex life, and offenses and/or convictions; and
  3. Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

CLINIPACE has particular obligations to You with respect to the Processing of Your Personal Data under its Privacy Obligations, which is described in this Information Notice.

We are obligated to provide You with a description of:

 

  1. Our obligations under the Privacy Obligations;
  2. Your rights under the Privacy Obligations; and
  3. Your applicable contact(s) in the event of a privacy inquiry or complaint against Us regarding the Processing of Your Personal Data.

 

A. OUR OBLIGATIONS UNDER THE PRIVACY OBLIGATIONS:

 

  1. NOTICE: We are obligated to notify You:

a. of Our Processing activities with respect to Your Personal Data via this Information Notice;

b. that We may be required to disclose Your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and

c. that We are subject to the jurisdiction and investigatory and enforcement powers of the Federal Trade Commission for the compliance and enforcement of the Privacy Obligations.                                                                                                          

  1. CHOICE: We are obligated to provide You with the right (i) to require express informed consent for the Processing of Sensitive Personal Data and (ii) to choose to opt out of certain Processing activities to the extent permitted under the Privacy Obligations and applicable law.
  2. ACCOUNTABILITY FOR ONWARD TRANSFERS: We are obligated to ensure that We only transfer Your Personal Data to a third party in accordance with the Privacy Obligations and that We may be liable for onward transfers in violation of the Privacy Obligations.

 

  1. SECURITY: We are obligated to take reasonable and appropriate measures to protect Your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Our security measures will take into account the nature and types of Processing activities performed of the Your Personal Data (i.e. affording a higher level of security if for example Sensitive Personal Data is being processed).

 

  1. DATA INTEGRITY AND PURPOSE LIMITATION. We are obligated to Process accurate, complete and current Personal Data in accordance with the “Purpose” (See Section B for permitted Purposes) for which We collected it from You. We shall retain Your Personal Data only for as long as it serves the Purpose or as required under law.

 

  1. We are obligated to provide You with certain access rights to Your Personal Data, which are further detailed in Section B.

 

  1. RECOURSE, ENFORCEMENT AND LIABILITY. We are obligated to implement policies and procedures to ensure Our compliance with the Privacy Obligations and to provide to You with a recourse mechanism in the event You have a privacy complaint, against Us for the Processing of Your Personal Data.

 For more detailed information on Your rights and Our obligations under the Privacy Obligations please see Our full Data Privacy Statement located at: https://www.clinipace.com/privacy-statement/.  

B. YOUR RIGHTS UNDER THE PRIVACY OBLIGATIONS:

  1. You have the right to know (a) the types of Personal Data We may Process, (b) the Recipients who may receive your Personal Data, (c) the types of Processing activities We MAY perform on Your Personal Data, and (d) the purpose for such Processing activities (the “Purpose”).

 Please refer to Annex I for more detailed information concerning Your particular data subject type.

  1. You have the right to know if Your Personal Information is being transferred to another country outside of Switzerland or the European Union.

In furtherance of the Purpose, We may need to share Your Personal Data with Our Affiliates, clients, vendors and legal authorities, which may be located in a country that does not afford a level of data protection comparable to that established by the Privacy Shield, Switzerland, the European Union or other applicable countries.

Please see Exhibit A of our Privacy Statement located at https://www.clinipace.com/privacy-statement/ for a list of Our Affiliates and their respective countries of origin.

  1. You have the right to know how long Clinipace may retain Your Personal Data.

 Clinipace shall retain Your Personal Data in a format which permits identification for as long as it serves the specified Purpose and for longer periods of time if required by law.

  1. You have the right to know the security measure We use to protect Your Personal Data.

 a. Within Clinipace. We protect Your Personal Data through the requirement of log in credentials and permission controls. Therefore, only the select roles within Clinipace, as specified in Section 3, will have access to Your Personal Data for the permitted purposes. We also use data redundancy and the implementation of physical and logical controls.

b. Outside of Clinipace. We protect Your Personal Data by requiring that Our contracts with Our third party entities contain data protection language ensuring that such external third party will provide at least the same level of data protection as what is required under the Privacy Obligations.

  1. You have the right to know that under the Privacy Obligations, CLINIPACE is obligated to disclose Personal Data in response to lawful request by public authorities lawfully requesting such Personal Data.                                                                                
  2. You have the right to (i) object to the Processing of Your Personal Data, (ii) request access to Your Personal Data, (iii) request the fixing of Personal Data errors and/or (iv) request deletion of Your Personal Data (subject to limitations under the Privacy Obligations).                                                                                                         

a. For Right of Objection: please (i) provide Us with Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data You object to being Processed, and (iii) provide a rationale as to why You object to Us using Your Personal Data. Upon receipt of Your request, We will then stop Processing Your Personal Data, unless there is a legal obligation requiring Us to continue Processing Your Personal Data.

b. For Right of Access: please provide Us with Your ID or any other documentation accrediting Your identity, and We will provide electronically, at no charge, access to Your Personal Data once per year (or more than once per year if You can show a legitimate reason for such access).

c. For Right of Rectification: please (i) provide Us with Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data that needs to be corrected and (iii) provide Us with the correct information.

 d. For Right of Deletion: please (i) provided Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data to be deleted, and (iii) provide a rationale for why You wish for Us to delete the Personal Data. The deletion will be made unless there is a legal obligation preventing Us from deleting the Personal Data (for example: the management of a claim).

  1. If required under the Principles or Local Privacy Laws, We will notify You in the event there is a breach (unauthorized access) of Your Personal Data.                             
  1. Regarding Your privacy concerns, You have the right to complain to:

a. Us,

b. Our Third Party Dispute Contact (see below),

c. Your relevant data protection authority, and

d. the Federal Trade Commission

  1. You have the right (free of charge) to participate in:                                                            

a. alternative dispute resolution (ADR) with an independent third party and/or                                            

b. binding arbitration with a three person Privacy Shield panel, subject to limitations under the Principles, if other means of addressing Your complaint was not resolved (such as the ADR mechanism above). (Please refer to Annex 1 of Privacy Shield for more information at https://www.privacyshield.gov).                                              

See Section C for how to contact Us, Our Third Party Dispute Contact, the FTC, and Your Data Protection Authority regarding Your privacy questions / concerns.

         

  1. If permitted under your Local Privacy Laws, You may also have the right to seek other judicial redress.                                             
  2. If applicable to Your country of origin, You have the right to consult the General Data Protection Register;

 

C. WHO You CAN CONTACT IN THE EVENT OF PRIVACY INQUIRIES OR COMPLAINTS

If You have a particular inquiry, request, or complaint, please follow the “Clinipace Dispute Resolution Mechanism Process” outlined below:

Step 1: Contact Clinipace directly for all privacy related inquiries and/or complaints under Privacy Shield by filing out and submitting the Compliance Submission Report located at: https://www.clinipace.com/hr-compliance-form/.

 When submitting Your compliance submission report, please to be sure to provide complete information or We may not be able to properly address Your privacy request in a timely fashion. Please ONLY USE THIS FORM located at https://www.clinipace.com/hr-compliance-form/ to submit a privacy request as We may not be able to completely address Your privacy request in a timely fashion if You use alternative means of communication.

In the event You are having difficulty filling out the form or have questions regarding how to fill out the form, please contact the following:

Name: Elizabeth Youngkin, Global Data Protection Officer

Address: 3800 Paramount Parkway, Suite 100, Morrisville, NC 27560

Phone: 919-224-8800

Email: compliance@clinipace.com

Step 2: If You do not receive a response within forty five (45) days of CLINIPACE’s receipt of Your message or do not believe that Your claim was resolved, contact: The applicable national Data Protection Agency of where You work to address Your privacy issues (see applicable agency’s website for contact information). Complaints may be filed on-line utilizing the Privacy Shield-Safe Harbor Program Notice of Arbitration Form located at: http://info.adr.org/ safeharbor.  For any questions or for further information please visit the website:  http://info.adr.org/safeharbor.

Step 3: If You do not receive resolution on Your privacy issue from the Third Party Dispute Contact, You have the option of:

  1. contacting the national Data Protection Agency where You live to address Your privacy issues (see applicable agency’s website for contact information); and/or
  2. contacting the FTC and submit a complaint by clicking here: https://ftccomplaintassistant.gov/#&panel1-1.

Step 4: As a last resort, if the above mechanisms do not work, You may be eligible to invoke binding arbitration. For more information on binding arbitration please see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

ANNEX I

Detailed information on Personal Data Processing Activities by Data Subject Type

 

Web Users 1.   Types of Personal Data We may Process.

a.   Your name, email address, and phone number;

b.   Your work title, company name and relevant industry;

c.    Your country; and

d.   Your IP address.

 

2.   Recipients to whom We MAY provide Your Personal Data.

a.   CLINIPACE IT vendors who provide/maintain Our website and company software;

b.   Companies identified for potential acquisition/merger; and/or

c.    Within CLINIPACE (within both Clinipace Inc. and its affiliates) the following personnel:

                               i.    Marketing,

ii.    Sales / Business Development,

iii.    Proposals,

iv.    Investors and Board Members,

v.    Executive and/or Operational Committee,

vi.    Finance,

vii.    Legal Department,

viii.    Project Management,

ix.    Information Technology, and

x.    Quality Assurance.

 

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   using Your IP address for logging purposes;

b.   using Your name and email address to periodically provide general industry / CLINIPACE information / educational materials in multiple formats such as ebooks, brochures, and webcast access in instances where You sign up for free webcasts, eBooks and Infographics via Your general website;

c.    using Your name, phone, email address, job title, industry description, company name, and country to allow Our sales / business development group to contact You regarding potential CLINIPACE services for Your company, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website;

d.   using Your name, email address, and job title to provide general direct mass marketing mailing to promote CLINIPACE activities / services as well as to provide notification of new general industry / CLINIPACE information / educational materials, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website; and

e.   using Your name, email address, phone, industry description, country, and company name to notify You of applicable industry events that may be relevant to You and that We may attend, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website.

Clients

(existing and potential)

1.   Types of Personal Data We may Process.

a.   Your name, work address, work phone number, work title, and work email address;

b.   Your image or voice (if applicable);

c.    Your IP address; and

d.   Your signature.

 

2.   Recipients to whom We MAY provide Your Personal Data.

a.   companies identified for potential acquisition/merger;

b.   CLINIPACE IT Vendors who provide/maintain on Our website and/or company software;

c.    vendors who have contracted with Clinipace, Sponsor or its affiliates or subsidiaries for the provision of services under the Study;

d.   clinical sites and its study staff who are participating in the Study;

e.   Regulatory/legal authorities;

f.     third party auditors;

g.   clinical trial subjects;

h.   potential / current CLINIPACE investors / banks; and

i.     Within CLINIPACE (within both Clinipace Inc. and its affiliates) potentially all internal departments.

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   Collecting and storing Your name, address, work contact number, work email address, signature, tax and financial disclosure information, identification number for regulatory and/or legal filing, submission, and/or compliance purposes;

b.   Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to CLINIPACE staff, site staff, and/or anonymized clinical trial subjects for general information, printed materials, and/or recorded trainings, meetings and/or events;

c.    Transferring Your name, address, work contact number, work email address, signature, tax and financial disclosure information, identification number externally to applicable regulatory authorities and third party auditors for regulatory and/or legal filing, submission, and/or compliance purposes;

d.   Collecting, storing, and transferring internally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication;

e.   Collecting, storing, and transferring externally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication with third party vendors who are conducting services in relation to the Study;

f.     Collecting, storing and/or transferring Your name, address, work contact number, work email address, work title, and signature for purposes of the multicenter publication for the Study;

g.   Transferring Your name, address, work contact number, work title, work email address for purposes of registering the Study on clinical sites such as clinicaltrials.gov;

h.   Granting access to Your name, address, work contact number, work email address, work title, signature, tax, identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

i.     Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms and;

j.     Granting access to Your name, address, work contact number, work email address, work title, signature, tax, identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software.

 

Vendors 1.     Types of Personal Data We may Process.

a. Your name, address, work phone number, work title, and work email address;

b. Your resume/CV or other educational and/or work experience or credentials;

c.  Your banking information (if paid directly);

d. Your IP address; and

e. Your hours worked (if applicable).

 

2.     Recipients to whom We MAY provide Your Personal Data.

a. Clients who have contracted with Clinipace or its affiliates or subsidiaries or potential Clinipace clients;

b. Other vendors who have contracted with Clinipace or its affiliates or subsidiaries;

c.  Clinical sites who have contracted with Clinipace or its affiliates or subsidiaries;

d. Legal authorities (including for example tax authorities, EEOC / workers counsels, and regulatory authorities);

e. Third party auditors;

f.   Companies identified for potential acquisition/merger;

g. CLINIPACE IT Vendors who provide/maintain on Our website and/or company software; and/or

h. Within CLINIPACE (within both Clinipace Inc. and its Affiliates) potentially all internal departments including:

                     i.        Investors and Board Members,

ii.        Executive and/or Operational Committee,

iii.        Human Resources

iv.        Payroll,

v.        Finance,

vi.        Legal Department,

vii.        Quality Assurance,

viii.        Project Management,

ix.        Business Development/Proposals, and

x.        Information Technology

 

3.       Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a. Collecting, storing, and processing Your resume/CV, Job Description if applicable and or scope of work in a contract, evidence of training compliance which may or may not include MasterControl, SOP training compliance reports and Your completed/signed electronic signature manifestation form, if required.  Some of this documentation such as Your resume/CV is pertinent to filing in the TMF.  Documentation, if filed in the TMF, may be uploaded to an electronic TMF and or in held originally in paper form;

b. Transferring Your resume/CV internally to Quality Assurance, Human Resources, Recruiting, applicable Clinipace Operational and Executive Staff, and Your manager(s) to assess Your skill set and qualifications;

c.  Transferring Your resume/CV externally to potential clients and/or third party auditors and regulatory inspectors either electronically or in paper form for purposes of verifying that You have competence to perform Your specific job function;

d. Collecting Your work hours and banking information for purposes of providing payment to You either electronically or in paper form (if paid directly);

e. Collecting Your name, address, contact number, salary information, and identification number internally to Human Resources, Recruiting and Your manager(s) for general management and HR/recruitment processing activities;

f.   Collecting Your name, address, contact number, work hours, salary information, and identification number for purposes of providing required tax information to applicable legal authorities either electronically or in paper form;

g. Collecting Your name, address, contact number, work hours, and identification number for purposes of providing required information to applicable regulatory authorities either electronically or in paper form;

h. Collecting and transferring Your work email address, Your work phone number, Your work title, and Your name internally to all Clinipace staff and externally to the recipients specified in Section 2 for purposes of general work communications;

i.   Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to other CLINIPACE staff, site staff, clients and vendors for general information, printed materials, and/or recorded trainings, meetings and/or events;

j.   Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax information, and identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

k. Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, work hours, resume/CV, training record, professional and/or work qualifications information, signature, tax information, and identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software;

l.   Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms and;

m.   Retaining Your Personal Data in order to comply with Our legal/compliance obligations.

Institution Staff 1.   Types of Personal Data We may Process.

a.   Your name, work address, work phone number, work title, and work email address;

b.   Your resume/CV or other educational and/or work experience or credentials;

c.    You publications and/or congress presentations;

d.   Your training record;

e.   Certain financial information (for purposes of physician transparency / Sunshine Act compliance purposes);

f.     Your banking information (if applicable);

g.   Your Identification Number;

h.   Your professional / medical license numbers (if applicable);

i.     Professional certifications and/or associations membership information;

j.     Your image or voice (if applicable);

k.   Your IP address; and

l.     Your signature.

 

2.   Recipients to whom We MAY provide Your Personal Data.

a.   Companies identified for potential acquisition/merger; and/or

b.   CLINIPACE IT Vendors who provide/maintain on Our website and/or company software;

c.    Vendors who have contracted with Clinipace, Sponsor or its affiliates or subsidiaries for the provision of services under the Study;

d.   Other clinical sites and its study staff who are participating in the Study

e.   Regulatory/legal authorities;

f.     Third party auditors; and

g.   Within Clinipace/Sponsor the following personnel: (i) Investors and Board Members,(ii) Clinipace Executive and/or Operational Committee, and (iii) Operations, Data Management, Regulatory, Legal, Project Management, Medical / Monitoring, Quality Assurance, Human Resources, Information Technology Departments, Finance and/or Grants Administration Department.

 

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   Collecting, storing, and processing Your resume/CV, documentation of study specific roles and responsibilities assigned, site staff start and end dates for study participation and related training records for TMF uploading (either electronically or in paper form);

b.   Collecting, storing and processing Your banking information for purposes of providing payment either electronically or in paper form;

c.    Collecting and storing Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax and financial disclosure information, identification number for regulatory and/or legal filing, submission, and/or compliance purposes;

d.   Transferring Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to applicable regulatory authorities and third party auditors for regulatory and/or legal filing, submission, and/or compliance purposes;

e.   Collecting, storing, and transferring internally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication;

f.     Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to CLINIPACE staff, site staff, and/or anonymized clinical trial subjects for general information, printed materials, and/or recorded trainings, meetings and/or events;

g.   Collecting, storing, and transferring externally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication with third party vendors who are conducting services in relation to the Study;

h.   Collecting, storing and/or transferring Your name, address, work contact number, email address, professional and/or work qualifications, and image for purposes of the multicenter publication for the Study;

i.     Transferring Your name, address, work contact number, work email address for purposes of registering the Study on clinical sites such as clinicaltrials.gov;

j.     Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

k.   Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms; and

l.     Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software.