Overview of Clinipace

As a global full-service contract research organization (CRO), Clinipace Inc., a global company headquartered in the United States, and its Affiliates (“CLINIPACE”) serve the unique needs of venture-backed, mid-tier and strategic pharmaceutical, biotechnology and medical device firms, helping them advance drug candidates to deliver successful stakeholder and patient outcomes.  The company leverages extensive therapeutic knowledge, clinical trial expertise, and innovative technology to support life science firms in achieving some of their most important goals: executing regulatory strategies, optimizing clinical development timelines and completing high quality trials.

Clinipace has completed more than 1,500 clinical trials and 1,500 regulatory and statistical consulting projects and operates in North America, South American, Europe, and Asia.

Definitions

  1. Affiliates: means the list of entities in Exhibit A of the Information Notice (see below links).
  2. Controller: means a person or entity which, alone or jointly, determines the purposes and means of Processing Personal Data of a Data Subject.
  3. Data Subject: an identified or identifiable person who has provided Personal Data.
  4. Personal Data: are identifiable data recorded in any form about a Data Subject, which may include identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
  5. Process/Processing/Processed: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  6. Processor: a person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
  7. Sensitive Personal Data: Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the Data Subject.

Scope.

This Privacy Policy Statement (“Privacy Statement”) describes how CLINIPACE Processes Personal Data of European and Swiss Data Subjects in compliance with the principles outlined in the EU-US Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (collectively “Privacy Shield”) as set forth by the Department of Commerce (collectively the “Principles”). If there is any conflict between the policies in this Privacy Statement and the Principles, the Principles shall govern.

This Privacy Statement is only applicable to non-HR Personal Data. HR Personal Data, which is the Personal Data of CLINIPACE’S employees and contractors, shall be addressed in a separate privacy statement located internally at \\clinipace.net\dfs\HR\Public.

Limitations On Scope.                                                                                                                     

Adherence to this Privacy Statement may be limited to the extent required by law, regulations or other governmental obligations, and CLINIPACE reserves the right to share a Data Subject’s Personal Data as required or authorized by law or regulation or requested by governmental authorities. In accordance with applicable privacy laws, this Privacy Statement may not apply or may be limited to Processing activities necessary for the performance of a contract between the Data Subject and CLINIPACE.

Self Certification.

CLINIPACE has certified that it complies to both the Privacy Shield Principles of: 1) notice, 2) choice, 3) accountability for onward transfer, 4) security, 5) data integrity and purpose limitation, 6) access, and 7) recourse, enforcement and liability (the “Principles”) in regard to the Processing of “Personal Data” of Data Subjects transferred from European Union and Switzerland to the United States.  For a more detailed explanation on the rights and obligations described under the Principles, please refer to Exhibit B of the Privacy Statement.

CLINIPACE has also certified that it agrees to cooperate and comply with  the Federal Trade Commission with regard to the Processing all Personal Data. CLINIPACE acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield.

CLINIPACE Data Processing Activities / Information Notices.                         

In the course of conducting its day-to-day activities. CLINIPACE may Process the Personal Data of different Data Subjects. For some Processing activities, CLINIPACE may act as Controller and other times CLINIPACE may act as a Processor at the direction of its client.

CLINIPACE acts as a:

  1. Controller in terms of Personal Data that is Processed from its employees, contractors, web users, clients, and certain vendors; and
  2. Processor on behalf of its Controller clients in terms of Processing Personal Data from clinical study site staff and certain vendors.

CLINIPACE collects and stores:

  1. Vendor and client Personal Data for purposes of providing client services;
  2. Web user Personal Data for marketing and general informational purposes;
  3. Clinical study site staff Personal Data for purposes of regulatory compliance and for fulfilling CLINIPACE clinical study and legal/regulatory obligations; and
  4. Key-coded clinical subject data for purposes of fulfilling CLINIPACE’s clinical study obligations.

Note on Clinical Trial Subject Data:  Under the Privacy Shield, key-coded data is not considered protected Personal Data if the company does not receive the key. It is CLINIPACE’s policy to only receive key-coded clinical subject data. In the event that CLINIPACE comes in contact with un-redacted clinical trial Personal Data, CLINIPACE will adhere to the Principles with respect to the Processing of such Personal Data.                

Information Notices.

Under the Notice Principle, CLINIPACE is obligated to provide notification regarding the use, processing, transfer, and retention of a Data Subject’s Personal Data as well as his/her request and recourse rights under the Principles. CLINIPACE’S Information Notice for Personal Data is attached as Exhibit C.

Note to Clinical Trial Subjects. For clinical trial subjects enrolled in CLINIPACE participating trials, please reach out to the institutional/investigator contact indicated on your clinical subject Informed consent form for all privacy-related inquiries and/or complaints.

Please go to Exhibit B Section 1 for more information on this topic.

Recourse, Enforcement and Liability.

In compliance with the Principles, CLINIPACE commits to resolve complaints about our Processing activities with respect to the Personal Data of European and Swiss Data Subjects. CLINIPACE has also committed to refer unresolved complaints, at no cost to the Data Subject, to 1) the International Centre for Dispute Resolution, the global component of the American Arbitration Association, which is an independent recourse mechanism established in the United States (“IDCR/AAA”) (to submit a claim or learn more go to: http://go.adr.org/privacyshield.html). The Data Subject also has the right to complain directly to the Department of Commerce and the EU and/or Swiss Data Protection Authority. If a Data Subject’s complaint is still not resolved by the mechanisms above, in some instances, the Data Subject has the right to invoke binding arbitration.

Please go to Annex 1 of the Privacy Shield Principles for more information at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

For European and Swiss Data Subject inquiries, requests, or complaints, please click on the appropriate Information Notice web link above and follow the “Clinipace Dispute Resolution Mechanism Process” outlined in the appropriate Information Notice.  

In the context of onward transfer, a Privacy Shield organization has responsibility for the Processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Any CLINIPACE staff in violation of this Privacy Statement will be subject to disciplinary action up to and including termination of employment, where applicable.

Please go to Exhibit B Section 7 for more detailed information on this topic.

Effective Date.

This Privacy Statement shall become effective 30 September 2016. Please refer to www.clinipace.com for the most recent version of this Privacy Statement.

Privacy Statement Changes.

This Privacy Statement may be reviewed and amended from time to time, without advance notice, consistent with the requirements of the Principles, to ensure that an appropriate level of protection for Personal Data is maintained.

All amendments will be posted on the following website: www.clinipace.com.
A notice will be posted on the www.clinipace.com website for sixty (60) days if there is a material amendment to this Privacy Statement.

Additional Links.

CLINIPACE’s Privacy Shield Certification and more information about Privacy Shield can be found at https://www.privacyshield.gov.

 EXHIBIT A

 LIST OF CLINIPACE AFFILIATES

Accovion Sp.z o.o. (Poland)

Accovion s.r.o (Czech Republic)

Accovion S.r.l. (Romania)

Accovion SARL (France)

Accovion S.R.L. (Italy)

Accovion S.L. (Spain)

Accovion LLC (Ukraine)

Accovion Ltd. (UK)

Accovion GmbH (Germany)

Clinipace Global, Ltd. (UK)

Clinipace A.G. (Switzerland)

Clinipace KK (Japan)

Clinipace Korea Ltd. (South Korea)

Choice Pharma Taiwan Co. Ltd. (Taiwan)

Choice Pharma Asia SDN. BHD (Malaysia)

Clinipace Australia Limited Pty. (Australia)

Clinipace Clinical Research Private Limited (India)

Choice Pharma, (HK) Limited (Hong Kong)

Choice Pharma Medical Information Consultancy (Shanghai) Co. Ltd. (China)

Choice Pharma Asia Pacific Pte. (Singapore)

Clinipace GmbH (Germany)

Paragon Biomedical, Inc. (USA)

Paragon Biomedical, Ltd. (UK)

Paragon Biomedical Poland sp.  zo.o. (Poland)

Regulus Pharmaceutical Consulting, Inc. (USA)

Worldwide Clinical Research, Inc. (USA)

Worldwide Clinical Research Del Peru SAC (Peru) 

EXHIBIT B

DETAILED EXPLANATION OF THE RIGHTS AND OBLIGATIONS UNDER THE PRIVACY SHIELD PRINCIPLES

  1. Notice

To ensure compliance with the Principals, CLINIPACE must provide all of its Data Subjects with appropriate notice, in clear and conspicuous language, regarding the use, processing, transfer, and retention of its Personal Data when the Data Subject is first asked to provide Personal Data to CLINIPACE or as soon thereafter as is practicable, but in any event before CLINIPACE uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

The information contained in the notification shall include:

a. Clinipace’s participation in Privacy Shield;

b. The types of Personal Data CLINIPACE and its entities and subsidiaries collects;

c. Clinipace’s commitment to Data Subject to the Principles all Personal Data received from the EU and Switzerland in reliance on the Privacy Shield;

d. The purposes for which CLINIPACE collects and uses Personal Data about them;

e. How to contact CLINIPACE with any inquiries or complaints, including any relevant establishment in the EU and Switzerland that can respond to such inquiries or complaints;

f. The type or identity of third parties to which CLINIPACE discloses Personal Data, and the purposes for which CLINIPACE does so;

g. The right of the Data Subject to access their Personal Data, subject to limitations provided in Privacy Shield;

h. The choices and means CLINIPACE offers Data Subjects for limiting the use and disclosure of their Personal Data;

i. The independent dispute resolution body CLINIPACE has designated to address Data Subject complaints and provide appropriate recourse free of charge to the Data Subject and designate whether the independent dispute resolution body is: (i) a panel established by DPAs, (ii) an alternative dispute resolution provider based in the EU or Switzerland, or (iii) an alternative dispute resolution provider based in the United States;

j. Which investigatory and enforcement powers CLINIPACE is subject;

k. The possibility, under certain conditions, for the Data Subject to invoke binding arbitration;

l. CLINIPACE’s requirement to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and

m. CLINIPACE’s liability in cases of onward transfers to third parties.

Please refer to the applicable CLINIPACE Information Notice detailing the information required to be provided under subsections a through m above.    

  1. Choice

To remain compliant with the Principles, Data Subjects have the opportunity to choose (opt out) whether their Personal Data:

a. Is disclosed to a third party that is not acting as an agent to perform tasks on behalf of CLINIPACE and does not have a contract with CLINIPACE for such tasks

or

b. Is used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subject.

If the Data Subject wishes to ‘opt out,’ the Data Subject must contact CLINIPACE using the means of communication outlined in the Information Notice.

For Sensitive, Personal Data, CLINIPACE will obtain affirmative express consent (opt-in) from Data Subjects if such information is to be

a. Disclosed to a third party

or

b. Used for a purpose other than those for which it was originally collected or subsequently authorized by the Data Subject through the exercise of opt-in choice.

CLINIPACE treats as sensitive any Personal Data received from a third party where the third party identifies and treats such Personal Data as sensitive.

  1. Accountability for Onward Transfers

CLINIPACE transfers Personal Data to a third party, acting as a Controller, in conformance with the Principals of Notice and Choice. CLINIPACE will enter into a contract with any third-party controller which will provide that:

a. Such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the Data Subject;

b. The recipient third party will provide the same level of protection as the level of protection afforded in the Principles; and

c. The recipient third party will notify CLINIPACE if it determines it can no longer meet this obligation and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies.

CLINIPACE will only transfer personal data to a third party acting as CLINIPACE’s agent if:

a. CLINIPACE’s Personal Data transfer to the third party agent is only for limited and specified purposes;

b. CLINIPACE ascertains that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;

c. CLINIPACE takes reasonable and appropriate steps to ensure that the third party agent effectively processes the Personal Data transferred in a manner consistent with CLINIPACE’s obligations under the Principles;

d. CLINIPACE requires that the third party agent notify CLINIPACE if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies; and

e. CLINIPACE provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Federal Trade Commission or other applicable regulatory body upon request.

Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE handles third-party transfers.                        

  1. Security                    

CLINIPACE takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved with the processing and nature of the Personal Data.

Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE ensures security of the Personal Data.                                        

  1. Data Integrity and Purpose Limitation

CLINIPACE’s collection, use, processing and retention of the Personal Data is limited to the information that is relevant for the purposes of processing (“Purpose”). CLINIPACE will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.

To the extent necessary for those purposes, CLINIPACE takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

CLINIPACE adheres to the Principles for as long as it retains the Personal Data.
Personal Data is retained in a form identifying or making identifiable the Data Subject only for as long as it serves the Purpose, provided that CLINIPACE may retain the Personal Data for longer periods of time if permitted by the Principles such as serving customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, adherence to other laws such as FDA or other applicable regulatory authority rules and/or regulations, or other purposes consistent with the expectations of a reasonable person given the context of the collection.

Please refer to the applicable CLINIPACE Information Notice for more information on the purposes by which CLINIPACE processes Personal Data and the applicable data retention requirements. 

  1. Access

Upon request, CLINIPACE will provide Data Subjects access to its Personal Data that CLINIPACE holds.

The Data Subject can request that CLINIPACE correct, amend, or delete inaccurate Personal Data or Persona Data that is processed in violation of the Principles, provided that the burden or expense of providing access is not disproportionate to the risks to the Data Subject’s privacy or where the rights of other Data Subjects would be violated if access was granted.           

Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subject can request his/her access rights.                   

  1. Recourse, Enforcement and Liability

a. Compliance Mechanisms:

CLINIPACE has implemented internal, self-assessment procedures for conducting random audits of its privacy practices to ensure that such practices are in compliance with this Privacy Statement.  In the event that CLINIPACE becomes aware that its policies/processes are not compliant with the Principles, CLINIPACE will promptly remedy the problem by modifying its applicable policies and/or procedures (including this Privacy Statement) accordingly to ensure compliance.

CLINIPACE has also trained its employees to ensure compliance with its privacy obligations under the Principles. Any employee or contractor that CLINIPACE determines is in violation of this Privacy Statement will be subject to mandatory re-training and/or disciplinary action, up to and including termination.

In the event of a privacy-related issue or complaint, CLINIPACE will cooperate with and promptly respond to inquiries and requests from the FTC, Department of Commerce and Third Party Dispute Contact identified in the Information Notice for all other privacy concerns/complaints.

CLINIPACE will investigate and/or resolve any concern, complaint or question (“Issue(s)”) in accordance with this Privacy Statement. CLINIPACE employees, contractors or applicable external parties will direct any Issue(s) arising from the use or disclosure of Personal Information to CLINIPACE.

b. Data Subject Recourse Mechanisms.

The Data Subject has a number of recourse mechanisms in the event of a data privacy issue such as:

  • The right to complain to CLINIPACE regarding his/her data privacy issue in which CLINIPACE must respond to the Data Subject’s complaint within forty five (45) of receipt of the complaint;
  • The right to a cost-free independent dispute resolution mechanism to address privacy complaints if the complaint remains unresolved by CLINIPACE;
  • The right to complain to the applicable data protection authority in the Data Subject’s country of origin or the FTC for data privacy concerns, if the complaint remains unresolved by CLINIPACE; and
  • The ability to invoke binding arbitration in accordance with the rules set forth under Annex 1 of the Privacy Shield Framework to address any complaint regarding a violation of CLINIPACE’s obligations under the Privacy Shield Principles if the Data Subject’s complaint has not been resolved by any of the other means described above.

If the Data Subject has invoked binding arbitration, CLINIPACE will follow the rules set forth in Annex 1 of the Privacy Shield Framework.

Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subjects can submit privacy complaints.

       c. CLINIPACE Consequences for Non-Compliance

  1. CLINIPACE is potentially liable if a third party acting as an agent on CLINIPACE’s behalf transfers or processes Personal Data in violation of the Principles.
  2. If CLINIPACE becomes subject to an FTC or court order based on non-compliance, CLINIPACE shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
  3. CLINIPACE may be subject to monetary damages if the Data Subject is awarded damages under binding arbitration.
  4. CLINIPACE may be subject to sanctions or exclusion from participating in either the EU-US or Swiss Privacy Shield program if the Department of Commerce deems the violation warrants such sanctions or exclusion. If CLINIPACE is excluded from participating in the EU-US or Swiss Privacy Shield Program, CLINIPACE may be required to return or delete the Personal Data it received under the EU-US or Swiss Privacy Shield.

EXHIBIT C

I  DATA PRIVACY INFORMATION NOTICE 

As a web user or business partner (“You” or “Your”) to Clinipace, Inc. and/or its Affiliates (as defined in Exhibit A of the Privacy Statement) (collectively “CLINIPACE” or “Us” or “We” or “Our”), You may provide Personal Data (as defined below) to Us in order for Us to fulfill Our legal, compliance and/or client service obligations.

CLINIPACE has certified under the EU-US Privacy Shield Framework and Swiss Privacy Shield Framework (collectively “Privacy Shield”) that We commit to adhere to the principles of: 1) notice, 2) choice, 3) accountability for onward transfer, 4) security, 5) data integrity and purpose limitation, 6) access, and 7) recourse, enforcement and liability in regard to the Processing (as defined below) of Personal Data from the European Union and Switzerland to the United States (“Principles”).

CLINIPACE has also certified that it agrees to cooperate and comply with the Federal Trade Commission regulations with regard to the Processing of European and Swiss Personal Data of Our clients, vendors, web users, clinical trial subjects and clinical study institution staff).

CLINIPACE also agrees to adhere to all applicable data protection laws and regulations including but not limited to European Commission Directive 2016/680, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, by May 25, 2018, and other local data protection laws where CLINIPACE or its Affiliates reside or conduct business (collectively “Local Privacy Laws”).

Collectively the “Principles” and “Local Privacy Laws” shall be referred to herein as “Privacy Obligations”.

For purposes of this Information Notice:

  1. Personal Data” includes any data which can be used to identify You including Your identification number, location data, online identifier or one or more factors specific to Your physical, physiological, genetic, mental, economic, cultural or social identity including for example “Sensitive Data” (as defined below);
  2. Sensitive Personal Data” includes information related to racial or ethnic origin, political or religious beliefs, trade union membership, health, sexuality or sex life, and offenses and/or convictions; and
  3. Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

CLINIPACE has particular obligations to You with respect to the Processing of Your Personal Data under its Privacy Obligations, which is described in this Information Notice.

We are obligated to provide You with a description of:

  1. Our obligations under the Privacy Obligations;
  2. Your rights under the Privacy Obligations; and
  3. Your applicable contact(s) in the event of a privacy inquiry or complaint against Us regarding the Processing of Your Personal Data.

A. OUR OBLIGATIONS UNDER THE PRIVACY OBLIGATIONS:

  1. NOTICE: We are obligated to notify You:

a. Of Our Processing activities with respect to Your Personal Data via this Information Notice;

b. That We may be required to disclose Your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and

c. That We are subject to the jurisdiction and investigatory and enforcement powers of the Federal Trade Commission for the compliance and enforcement of the Privacy Obligations.                                                                                                          

  1. CHOICE: We are obligated to provide You with the right (i) to require express informed consent for the Processing of Sensitive Personal Data and (ii) to choose to opt out of certain Processing activities to the extent permitted under the Privacy Obligations and applicable law.
  2. ACCOUNTABILITY FOR ONWARD TRANSFERS: We are obligated to ensure that We only transfer Your Personal Data to a third party in accordance with the Privacy Obligations and that We may be liable for onward transfers in violation of the Privacy Obligations.
  1. SECURITY: We are obligated to take reasonable and appropriate measures to protect Your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Our security measures will take into account the nature and types of Processing activities performed of Your Personal Data (i.e., affording a higher level of security if for example Sensitive Personal Data is being processed).
  1. DATA INTEGRITY AND PURPOSE LIMITATION. We are obligated to Process accurate, complete and current Personal Data in accordance with the “Purpose” (See Section B for permitted Purposes) for which We collected it from You. We shall retain Your Personal Data only for as long as it serves the Purpose or as required under law.
  1. We are obligated to provide You with certain access rights to Your Personal Data, which are further detailed in Section B.
  1. RECOURSE, ENFORCEMENT AND LIABILITY. We are obligated to implement policies and procedures to ensure Our compliance with the Privacy Obligations and to provide You with a recourse mechanism in the event You have a privacy complaint, against Us for the Processing of Your Personal Data.

For more detailed information on Your rights and Our obligations under the Privacy Obligations, please see Our full Data Privacy Statement located at: https://www.clinipace.com/privacy-statement/.  

B. YOUR RIGHTS UNDER THE PRIVACY OBLIGATIONS:

  1. You have the right to know (a) the types of Personal Data We may Process, (b) the Recipients who may receive your Personal Data, (c) the types of Processing activities We MAY perform on Your Personal Data, and (d) the purpose for such Processing activities (the “Purpose”).

Please refer to Annex I for more detailed information concerning Your particular data subject type.

  1. You have the right to know if Your Personal Information is being transferred to another country outside of Switzerland or the European Union.

In furtherance of the Purpose, We may need to share Your Personal Data with Our Affiliates, clients, vendors and legal authorities, which may be located in a country that does not afford a level of data protection comparable to that established by the Privacy Shield, Switzerland, the European Union or other applicable countries.

Please see Exhibit A of our Privacy Statement located at https://www.clinipace.com/privacy-statement/ for a list of Our Affiliates and their respective countries of origin.

  1. You have the right to know how long Clinipace may retain Your Personal Data.

Clinipace shall retain Your Personal Data in a format which permits identification for as long as it serves the specified Purpose and for longer periods of time if required by law.

  1. You have the right to know the security measure We use to protect Your Personal Data.

a. Within Clinipace. We protect Your Personal Data through the requirement of log in credentials and permission controls. Therefore, only select roles within Clinipace, as specified in Section 3, will have access to Your Personal Data for the permitted purposes. We also use data redundancy and the implementation of physical and logical controls.

b. Outside of Clinipace. We protect Your Personal Data by requiring that Our contracts with Our third-party entities contain data protection language ensuring that such external third party will provide at least the same level of data protection as what is required under the Privacy Obligations.

  1. You have the right to know that under the Privacy Obligations, CLINIPACE is obligated to disclose Personal Data in response to lawful request by public authorities lawfully requesting such Personal Data.                                                                                
  2. You have the right to (i) object to the Processing of Your Personal Data, (ii) request access to Your Personal Data, (iii) request the fixing of Personal Data errors and/or (iv) request deletion of Your Personal Data (subject to limitations under the Privacy Obligations).     a. For Right of Objection: please (i) provide Us with Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data You object to
    being Processed, and (iii) provide a rationale as to why You object to Us using Your Personal Data. Upon receipt of Your request, We will then stop Processing Your
    Personal Data, unless there is a legal obligation requiring Us to continue Processing Your Personal Data.

b. For Right of Access: please provide Us with Your ID or any other documentation accrediting Your identity, and We will provide electronically, at no charge, access to Your Personal Data once per year (or more than once per year if You can show a legitimate reason for such access).

c. For Right of Rectification: please (i) provide Us with Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data that needs to be corrected and (iii) provide Us with the correct information.

d. For Right of Deletion: please (i) provide Your ID or any other documentation accrediting Your identity, (ii) identify the Personal Data to be deleted, and (iii) provide a rationale for why You wish for Us to delete the Personal Data. The deletion will be made unless there is a legal obligation preventing Us from deleting the Personal Data (for example: the management of a claim).

  1. If required under the Principles or Local Privacy Laws, We will notify You in the event there is a breach (unauthorized access) of Your Personal Data.                             
  1. Regarding Your privacy concerns, You have the right to complain to:

a. Us,

b. Our Third Party Dispute Contact (see below),

c. Your relevant data protection authority, and

d. the Federal Trade Commission

  1. You have the right (free of charge) to participate in:                                                            

a. alternative dispute resolution (ADR) with an independent third party and/or                                            

b. binding arbitration with a three person Privacy Shield panel, subject to limitations under the Principles, if other means of addressing Your complaint was not resolved (such as the ADR mechanism above). (Please refer to Annex 1 of Privacy Shield for more information at https://www.privacyshield.gov).                                   

See Section C for how to contact Us, Our Third Party Dispute Contact, the FTC, and Your Data Protection Authority regarding Your privacy questions / concerns.

  1. If permitted under your Local Privacy Laws, You may also have the right to seek other judicial redress.                                             
  2. If applicable to Your country of origin, You have the right to consult the General Data Protection Register.

C. WHO YOU CAN CONTACT IN THE EVENT OF PRIVACY INQUIRIES OR COMPLAINTS

If You have a particular inquiry, request, or complaint, please follow the “Clinipace Dispute Resolution Mechanism Process” outlined below:

Step 1: Contact Clinipace directly for all privacy related inquiries and/or complaints under Privacy Shield by filing out and submitting the Compliance Submission Report located at: https://www.clinipace.com/hr-compliance-form/.

 When submitting Your compliance submission report, please to be sure to provide complete information or We may not be able to properly address Your privacy request in a timely fashion. Please ONLY USE THIS FORM located at https://www.clinipace.com/hr-compliance-form/ to submit a privacy request as We may not be able to completely address Your privacy request in a timely fashion if You use alternative means of communication.

In the event You are having difficulty filling out the form or have questions regarding how to fill out the form, please contact the following:

Name: Global Data Protection Officer

Address: 3800 Paramount Parkway, Suite 100, Morrisville, NC 27560

Phone: +1 919-224-8800

Email: compliance@clinipace.com

Step 2:    If You do not receive a response within forty five (45) days of CLINIPACE’s receipt of Your message or do not believe that Your claim was resolved, contact the International Centre for Dispute Resolution, the international arm of the American Arbitration Association (“IDCR/AAA”), an independent recourse mechanism established in the United States (to submit a claim or learn more, go to: http://go.adr.org/privacyshield.html).

Step 3: If You do not receive resolution on Your privacy issue from the Third Party Dispute Contact, You have the option of:

  1. contacting the national Data Protection Agency where you live (i.e., the applicable EU data protection authorities or the Swiss Federal Data Protection and Information Commissioner, respectively) to address Your privacy issues (see applicable agency’s website for contact information); and/or
  2. contacting the FTC and submit a complaint by clicking here: https://ftccomplaintassistant.gov/#&panel1-1.

Step 4: As a last resort, if the above mechanisms do not work, You may be eligible to invoke binding arbitration. For more information on binding arbitration, please see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

ANNEX I

Detailed information on Personal Data Processing Activities by Data Subject Type

Web Users 1.   Types of Personal Data We may Process.

a.   Your name, email address, and phone number;

b.   Your work title, company name and relevant industry;

c.    Your country; and

d.   Your IP address.

2.   Recipients to whom We MAY provide Your Personal Data.

a.   CLINIPACE IT vendors who provide/maintain Our website and company software;

b.   Companies identified for potential acquisition/merger; and/or

c.    Within CLINIPACE (within both Clinipace Inc. and its affiliates) the following personnel:

                               i.    Marketing,

ii.    Sales / Business Development,

iii.    Proposals,

iv.    Investors and Board Members,

v.    Executive and/or Operational Committee,

vi.    Finance,

vii.    Legal Department,

viii.    Project Management,

ix.    Information Technology, and

x.    Quality Assurance.

 

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   using Your IP address for logging purposes;

b.   using Your name and email address to periodically provide general industry / CLINIPACE information / educational materials in multiple formats such as ebooks, brochures, and webcast access in instances where You sign up for free webcasts, eBooks and Infographics via Your general website;

c.    using Your name, phone, email address, job title, industry description, company name, and country to allow Our sales / business development group to contact You regarding potential CLINIPACE services for Your company, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website;

d.   using Your name, email address, and job title to provide general direct mass marketing mailing to promote CLINIPACE activities / services as well as to provide notification of new general industry / CLINIPACE information / educational materials, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website; and

e.   using Your name, email address, phone, industry description, country, and company name to notify You of applicable industry events that may be relevant to You and that We may attend, in instances where You sign up for free webcasts, eBooks and Infographics via Your general website.

Clients

(existing and potential)

1.   Types of Personal Data We may Process.

a.   Your name, work address, work phone number, work title, and work email address;

b.   Your image or voice (if applicable);

c.    Your IP address; and

d.   Your signature.

 

2.   Recipients to whom We MAY provide Your Personal Data.

a.   companies identified for potential acquisition/merger;

b.   CLINIPACE IT Vendors who provide/maintain Our website and/or company software;

c.    vendors who have contracted with Clinipace, Sponsor or its affiliates or subsidiaries for the provision of services under the Study;

d.   clinical sites and study staff who are participating in the Study;

e.   Regulatory/legal authorities;

f.     third-party auditors;

g.   clinical trial subjects;

h.   potential / current CLINIPACE investors / banks; and

i.     Within CLINIPACE (within both Clinipace Inc. and its affiliates) potentially all internal departments.

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   Collecting and storing Your name, address, work contact number, work email address, signature, tax and financial disclosure information, identification number for regulatory and/or legal filing, submission, and/or compliance purposes;

b.   Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to CLINIPACE staff, site staff, and/or anonymized clinical trial subjects for general information, printed materials, and/or recorded trainings, meetings and/or events;

c.    Transferring Your name, address, work contact number, work email address, signature, tax and financial disclosure information, identification number externally to applicable regulatory authorities and third party auditors for regulatory and/or legal filing, submission, and/or compliance purposes;

d.   Collecting, storing, and transferring internally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication;

e.   Collecting, storing, and transferring externally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication with third party vendors who are conducting services in relation to the Study;

f.     Collecting, storing and/or transferring Your name, address, work contact number, work email address, work title, and signature for purposes of the multicenter publication for the Study;

g.   Transferring Your name, address, work contact number, work title, work email address for purposes of registering the Study on clinical sites such as clinicaltrials.gov;

h.   Granting access to Your name, address, work contact number, work email address, work title, signature, tax, identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

i.     Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms and;

j.     Granting access to Your name, address, work contact number, work email address, work title, signature, tax, identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software.

 

Vendors 1.     Types of Personal Data We may Process.

a. Your name, address, work phone number, work title, and work email address;

b. Your resume/CV or other educational and/or work experience or credentials;

c.  Your banking information (if paid directly);

d. Your IP address; and

e. Your hours worked (if applicable).

 

2.     Recipients to whom We MAY provide Your Personal Data.

a. Clients who have contracted with Clinipace or its affiliates or subsidiaries or potential Clinipace clients;

b. Other vendors who have contracted with Clinipace or its affiliates or subsidiaries;

c.  Clinical sites who have contracted with Clinipace or its affiliates or subsidiaries;

d. Legal authorities (including for example tax authorities, EEOC / workers counsels, and regulatory authorities);

e. Third-party auditors;

f.   Companies identified for potential acquisition/merger;

g. CLINIPACE IT Vendors who provide/maintain on Our website and/or company software; and/or

h. Within CLINIPACE (within both Clinipace Inc. and its Affiliates) potentially all internal departments including:

                     i.        Investors and Board Members,

ii.        Executive and/or Operational Committee,

iii.        Human Resources,

iv.        Payroll,

v.        Finance,

vi.        Legal Department,

vii.        Quality Assurance,

viii.        Project Management,

ix.        Business Development/Proposals, and

x.        Information Technology

 

3.       Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a. Collecting, storing, and processing Your resume/CV, Job Description if applicable and or scope of work in a contract, evidence of training compliance which may or may not include MasterControl, SOP training compliance reports and Your completed/signed electronic signature manifestation form, if required.  Some of this documentation such as Your resume/CV is pertinent to filing in the TMF.  Documentation, if filed in the TMF, may be uploaded to an electronic TMF and or in held originally in paper form;

b. Transferring Your resume/CV internally to Quality Assurance, Human Resources, Recruiting, applicable Clinipace Operational and Executive Staff, and Your manager(s) to assess Your skill set and qualifications;

c.  Transferring Your resume/CV externally to potential clients and/or third-party auditors and regulatory inspectors either electronically or in paper form for purposes of verifying that You have competence to perform Your specific job function;

d. Collecting Your work hours and banking information for purposes of providing payment to You either electronically or in paper form (if paid directly);

e. Collecting Your name, address, contact number, work hours, salary information, and identification number for purposes of providing required tax information to applicable legal authorities either electronically or in paper form;

g. Collecting Your name, address, contact number, work hours, and identification number for purposes of providing required information to applicable regulatory authorities either electronically or in paper form;

h. Collecting and transferring Your work email address, Your work phone number, Your work title, and Your name internally to all Clinipace staff and externally to the recipients specified in Section 2 for purposes of general work communications;

i.   Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to other CLINIPACE staff, site staff, clients and vendors for general information, printed materials, and/or recorded trainings, meetings and/or events;

j.   Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax information, and identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

k. Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, work hours, resume/CV, training record, professional and/or work qualifications information, signature, tax information, and identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software;

l.   Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms and;

m.   Retaining Your Personal Data in order to comply with Our legal/compliance obligations.

Institution Staff 1.   Types of Personal Data We may Process.

a.   Your name, work address, work phone number, work title, and work email address;

b.   Your resume/CV or other educational and/or work experience or credentials;

c.    You publications and/or congress presentations;

d.   Your training record;

e.   Certain financial information (for purposes of physician transparency / Sunshine Act compliance purposes);

f.     Your banking information (if applicable);

g.   Your Identification Number;

h.   Your professional / medical license numbers (if applicable);

i.     Professional certifications and/or associations membership information;

j.     Your image or voice (if applicable);

k.   Your IP address; and

l.     Your signature.

 

2.   Recipients to whom We MAY provide Your Personal Data.

a.   Companies identified for potential acquisition/merger; and/or

b.   CLINIPACE IT Vendors who provide/maintain on Our website and/or company software;

c.    Vendors who have contracted with Clinipace, Sponsor or its affiliates or subsidiaries for the provision of services under the Study;

d.   Other clinical sites and study staff who are participating in the Study

e.   Regulatory/legal authorities;

f.     Third-party auditors; and

g.   Within Clinipace/Sponsor the following personnel: (i) Investors and Board Members,(ii) Clinipace Executive and/or Operational Committee, and (iii) Operations, Data Management, Regulatory, Legal, Project Management, Medical / Monitoring, Quality Assurance, Human Resources, Information Technology Departments, Finance and/or Grants Administration Department.

 

3.   Types of Processing activities We MAY perform on Your Personal Data as well as the purpose for such Processing activities (the “Purpose”).

a.   Collecting, storing, and processing Your resume/CV, documentation of study specific roles and responsibilities assigned, site staff start and end dates for study participation and related training records for TMF uploading (either electronically or in paper form);

b.   Collecting, storing and processing Your banking information for purposes of providing payment either electronically or in paper form;

c.    Collecting and storing Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax and financial disclosure information, identification number for regulatory and/or legal filing, submission, and/or compliance purposes;

d.   Transferring Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to applicable regulatory authorities and third party auditors for regulatory and/or legal filing, submission, and/or compliance purposes;

e.   Collecting, storing, and transferring internally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication;

f.     Collecting and transferring Your name, work address, work phone number, work title, work email address, image or voice (if applicable) to CLINIPACE staff, site staff, and/or anonymized clinical trial subjects for general information, printed materials, and/or recorded trainings, meetings and/or events;

g.   Collecting, storing, and transferring externally Your name, address, work contact number, work email address either electronically or in paper form for purposes of general communication with third-party vendors who are conducting services in relation to the Study;

h.   Collecting, storing and/or transferring Your name, address, work contact number, email address, professional and/or work qualifications, and image for purposes of the multicenter publication for the Study;

i.     Transferring Your name, address, work contact number, work email address for purposes of registering the Study on clinical sites such as clinicaltrials.gov;

j.     Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to companies identified for potential acquisition/merger for due diligence purposes;

k.   Collecting, storing and using Your IP address for logging purposes and for username verification/security purposes when You log onto and/or access Our computer system/web platforms; and

l.     Granting access to Your name, address, work contact number, work email address, professional / medical license numbers, resume/CV, training record, professional and/or work qualifications information, signature, tax, financial disclosure, identification number externally to CLINIPACE IT Vendors who provide/maintain on Our website and/or business software.