Overview of Clinipace
As a global full-service digital contract research organization (dCRO), Clinipace Inc., a global company headquartered in the United States and its Affiliates (“CLINIPACE”) has pioneered an innovative technology-amplified CRO service model to serve the unique needs of venture-backed, mid-tier, and strategic pharmaceutical, biotechnology and medical device firms. Powered by TEMPO™ (CLINIPACE’S proprietary eClinical platform), our team of experts brings extensive therapeutic knowledge and insight into assisting life science firms in developing and executing regulatory strategies, clinical development and post-approval research to ensure a successful drug and medical device development program.
- Affiliates: means the list of entities in Exhibit A of the Information Notice (see below links).
- Controller: means a person or entity which, alone or jointly, determines the purposes and means of Processing Personal Data of a Data Subject.
- Data Subject: an identified or identifiable person who has provided Personal Data.
- HR Personal Data: Personal Data of employees and contractors.
- Personal Data: are identifiable data recorded in any form about a Data Subject, which may include identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
- Process/Processing/Processed: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Processor: a person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
- Sensitive Personal Data: Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the Data Subject.
Limitations On Scope.
Adherence to this Privacy Statement may be limited to the extent required by law, regulations or other governmental obligations, and CLINIPACE reserves the right to share a Data Subject’s Personal Data as required or authorized by law or regulation or requested by governmental authorities. In accordance with applicable privacy laws, this Privacy Statement may not apply or may be limited to Processing activities necessary for the performance of a contract between the Data Subject and CLINIPACE.
CLINIPACE has certified that it is complies to both the Privacy Shield and Swiss Safe Harbor Principles of: 1) notice, 2) choice, 3) accountability for onward transfer, 4) security, 5) data integrity and purpose limitation, 6) access, and 7) recourse, enforcement and liability (the “Principles”) in regard to the Processing of “Personal Data” of Data Subjects transferred from European Union and Switzerland to the United States. For a more detailed explanation on the rights and obligations described under the Principles please refer to Exhibit A of the Privacy Statement.
CLINIPACE has also certified that it agrees to cooperate and comply with 1) applicable EU and Swiss Data Protection Authority with regard to the Processing of HR Personal Data and 2) the Federal Trade Commission with regard to the Processing all other Personal Data. CLINIPACE acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield.
CLINIPACE Data Processing Activities / Information Notices.
In the course of conducting its day to day activities CLINIPACE may Process the Personal Data of different Data Subjects. For some Processing activities CLINIPACE may act as Controller and other times CLINIPACE may act as a Processor at the direction of its client.
CLINIPACE acts as a:
- Controller in terms of Personal Data that is Processed from its employees, contractors, web users, clients, and certain vendors; and
- Processor on behalf of its Controller clients in terms of Processing Personal Data from clinical study site staff and certain vendors.
CLINIPACE collects and stores:
- HR Personal Data from CLINIPACE’s employees and contractors (past and present) collected in the context of the employment relationship necessary for personnel administration and the performance of CLINIPACE clinical study and legal/regulatory obligations;
- vendor and client Personal Data for purposes of providing client services;
- web user Personal Data for marketing and general informational purposes;
- clinical study site staff Personal Data for purposes of regulatory compliance and for fulfilling CLINIPACE clinical study and legal/regulatory obligations; and
- key coded clinical subject data for purposes of fulfilling CLINIPACE’s clinical study obligations.
Note on Clinical Trial Subject Data: Under the Privacy Shield, key-coded data is not considered protected Personal Data if the company does not receive the key. It is CLINIPACE’s policy to only receive key coded clinical subject data. In the event that CLINIPACE comes in contact with un-redacted clinical trial Personal Data, CLINIPACE will adhere to the Principles with respect to the Processing of such Personal Data.
Under the Notice Principle, CLINIPACE is obligated to provide notification regarding the use, processing, transfer, and retention of a Data Subject’s Personal Data as well as his/her request and recourse rights under the Principles.
Please click on the appropriate link below to read the applicable “Information Notice”:
- CLINIPACE’s web users: https://www.clinipace.com/wp-content/uploads/2016/09/EU-Safety-Shield-Web-User-Information-Notice
- CLINIPACE’s clients: https://www.clinipace.com/wp-content/uploads/2016/09/EU-Safety-Shield-Client-Information-Notice
- CLINIPACE’s vendors: https://www.clinipace.com/wp-content/uploads/2016/09/EU-Safety-Shield-Vendor-Information-Notice
- CLINIPACE’S employees and contractor: \\clinipace.net\dfs\HR\Public
- CLINIPACE’s Institution study staff information: https://www.clinipace.com/wp-content/uploads/2016/09/EU-Safety-Shield-Institution-Staff-Information-Notice-FINAL
Note to Clinical Trial Subjects. For clinical trial subjects enrolled in CLINIPACE participating trials, please reach out to the institutional/investigator contact indicated on your clinical subject Informed consent form for all privacy related inquiries and/or complaints.
Please go to Exhibit A Section 1 for more information on this topic.
Recourse, Enforcement and Liability.
In compliance with the Principles, CLINIPACE commits to resolve complaints about our Processing activities with respect to the Personal Data of European and Swiss Data Subjects. CLINIPACE has also committed to refer unresolved complaints, at no cost to the Data Subject, to 1) the International Centre for Dispute Resolution, the global component of the American Arbitration Association, which is an independent recourse mechanism establish in the United States (“IDCR/AAA”) (to submit a claim or learn more go to: http://info.adr.org) for non-HR Personal Data and 2) by the applicable national Data Protection Agency of where the Data Subject works for HR Personal Data. CLINIPACE commits to cooperate with the panel established by the EU Data Protection Authorities (“Panel”) and comply with the advice given by the Panel with regard to HR Personal Data transferred from the European Union (in the context of the employment relationship). The Data Subject also has the right to complain directly to the Department of Commerce and the EU Data Protection Authority. If a Data Subject’s complaint is still not resolved by the mechanisms above, in some instances, the Data Subject has the right to invoke binding arbitration. Please go to Annex 1 of the Data Shield Principles for more information at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
For European and Swiss Data Subject inquiries, requests, or complaints, please click on the appropriate Information Notice web link above and follow the “Clinipace Dispute Resolution Mechanism Process” outlined in the appropriate Information Notice.
In the context of onward transfer, a Privacy Shield organization has responsibility for the Processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Any CLINIPACE staff in violation of this Privacy Statement will be subject to disciplinary action up to and including termination of employment, where applicable.
Please go to Exhibit A Section 7 for more detailed information on this topic.
This Privacy Statement shall become effective 30 September 2016. Please refer to www.clinipace.com for the most recent version of this Privacy Statement.
Privacy Statement Changes.
This Privacy Statement may be reviewed and amended from time to time, without advance notice, consistent with the requirements of the Principles, to ensure that an appropriate level of protection for Personal Data is maintained.
All amendments will be posted on the following website: www.clinipace.com.
A notice will be posted on the www.clinipace.com website for sixty (60) days if there is a material amendment to this Privacy Statement.
CLINIPACE’s Privacy Shield Certification and more information about Privacy Shield can be found at https://www.privacyshield.gov.
CLINIPACE’s Swiss Safe Harbor Certification and more information about Swiss Safe Harbor can be found at http://2016.export.gov/safeharbor/.
DETAILED EXPLANATION OF THE RIGHTS AND OBLIGATIONS UNDER THE PRIVACY SHIELD PRINCIPLES
To ensure compliance with the Principals, CLINIPACE must provide all of its Data Subjects with appropriate notice, in clear and conspicuous language, regarding the use, processing, transfer, and retention of its Personal Data when the Data Subject is first asked to provide Personal Data to CLINIPACE or as soon thereafter as is practicable, but in any event before CLINIPACE uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.The information contained in the notification shall include:
- Clinipace’s participation in Privacy Shield / Swiss Safe Harbor;
- the types of Personal Data CLINIPACE and its entities and subsidiaries collects;
- Clinipace’s commitment to Data Subject to the Principles all Personal Data received from the EU in reliance on the Privacy Shield;
- the purposes for which CLINIPACE collects and uses Personal Data about them;
- how to contact CLINIPACE with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
- the type or identity of third parties to which CLINIPACE discloses Personal Data, and the purposes for which CLINIPACE does so;
- the right of the Data Subject to access their Personal Data, subject to limitations provided in Data Shield and Swiss Safe Harbor;
- the choices and means CLINIPACE offers Data Subjects for limiting the use and disclosure of their Personal Data;
- the independent dispute resolution body CLINIPACE has designated to address Data Subject complaints and provide appropriate recourse free of charge to the Data Subject and designate whether the independent dispute resolution body is: (i) a panel established by DPAs, (ii) an alternative dispute resolution provider based in the EU, or (iii) an alternative dispute resolution provider based in the United States;
- which investigatory and enforcement powers CLINIPACE is subject;
- the possibility, under certain conditions, for the Data Subject to invoke binding arbitration;
- CLINIPACE’s requirement to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
- CLINIPACE’s liability in cases of onward transfers to third parties.
Please refer to the applicable CLINIPACE Information Notice detailing the information required to be provided under subsections 1 through 13 above.
To remain compliant with the Principals, Data Subjects have the opportunity to choose (opt out) whether their Personal Data is:
- Is disclosed to a third party that is not acting as an agent to perform tasks on behalf of CLINIPACE and does not have a contract with CLINIPACE for such tasks
- Is used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subject.
If the Data Subject wishes to ‘opt out’, the Data Subject must contact CLINIPACE using the means of communication outlined in the Information Notice.
For Sensitive Personal Data CLINIPACE will obtain affirmative express consent (opt in) from Data Subjects if such information is to be
- disclosed to a third party
- used for a purpose other than those for which it was originally collected or subsequently authorized by the Data Subject through the exercise of opt-in choice.
CLINIPACE treats as sensitive any Personal Data received from a third party where the third party identifies and treats such Personal Data as sensitive.
3. Accountability for Onward Transfers
CLINIPACE transfers Personal Data to a third party, acting as a Controller, in conformance with the Principals of Notice and Choice. CLINIPACE will enter into a contract with any third-party controller which will provide that:
- such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the Data Subject;
- the recipient third party will provide the same level of protection as the level of protection afforded in the Principles; and
- the recipient third party will notify CLINIPACE if it determines it can no longer meet this obligation and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies.
CLINIPACE will only transfer personal data to a third party acting as CLINIPACE’s agent if:
- CLINIPACE’s Personal Data transfer to the third party agent is only for limited and specified purposes;
- CLINIPACE ascertains that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- CLINIPACE takes reasonable and appropriate steps to ensure that the third party agent effectively processes the Personal Data transferred in a manner consistent with CLINIPACE’s obligations under the Principles;
- CLINIPACE requires that the third party agent notify CLINIPACE if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and will subsequently cease processing or take other reasonable and appropriate steps to remediate its perceived deficiencies; and
- CLINIPACE provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Federal Trade Commission or other applicable regulatory body upon request.
Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE handles third party transfers.
CLINIPACE takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved with the processing and nature of the Personal Data.
Please refer to the applicable CLINIPACE Information Notice for more information on how CLINIPACE ensures security of the Personal Data.
5. Data Integrity and Purpose Limitation
CLINIPACE’s collection, use, processing and retention of the Personal Data is limited to the information that is relevant for the purposes of processing (“Purpose”). CLINIPACE will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.To the extent necessary for those purposes, CLINIPACE takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current.CLINIPACE adheres to the Principles for as long as it retains the Personal Data. Personal Data is retained in a form identifying or making identifiable the Data Subject only for as long as it serves the Purpose, provided that CLINIPACE may retain the Personal Data for longer periods of time if permitted by the Principles such as serving customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, adherence to other laws such as FDA or other applicable regulatory authority rules and/or regulations, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
Please refer to the applicable CLINIPACE Information Notice for more information on the purposes by which CLINIPACE processes Personal Data and the applicable data retention requirements.
Upon request, CLINIPACE will provide Data Subjects access to its Personal Data that CLINIPACE holds.The Data Subject can request that CLINIPACE correct, amend, or delete inaccurate Personal Data or Persona Data that is processed in violation of the Principles, provided that the burden or expense of providing access is not disproportionate to the risks to the Data Subject’s privacy or where the rights of other Data Subjects would be violated if access was granted.
Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subject can request his/her access rights.
7. Recourse, Enforcement and Liability
CLINIPACE has implemented internal, self-assessment procedures for conducting random audits of its privacy practices to ensure that such practices are in compliance with this Privacy Statement. In the event that CLINIPACE becomes aware that its policies/processes are not compliant with the Principles, CLINIPACE will promptly remedy the problem by modifying its applicable policies and/or procedures (including this Privacy Statement) accordingly to ensure compliance.
CLINIPACE has also trained its employees to ensure compliance with its privacy obligations under the Principles. Any employee or contractor that CLINIPACE determines is in violation of this Privacy Statement will be subject to mandatory re-training and/or disciplinary action, up to and including termination.
In the event of a privacy related issue or complaint CLINIPACE will cooperate with and promptly respond to inquiries and requests from
- the Applicable EU Agency or the Swiss Federal Data Protection and Information Commission, as applicable, for HR related privacy concerns/complaints; and
- the FTC, Department of Commerce and Third Party Dispute Contact identified in the Information Notice for all other privacy concerns/complaints.
CLINIPACE will investigate and/or resolve any concern, complaint or question (“Issue(s)”) in accordance with this Privacy Statement. CLINIPACE employees, contractors or applicable external parties will direct any Issue(s) arising from the use or disclosure of Personal Information to the CLINIPACE.
Data Subject Recourse Mechanisms.
The Data Subject has a number of recourse mechanisms in the event of a data privacy issue such as:
- the right to complain to CLINIPACE regarding his/her data privacy issue in which CLINIPACE must respond to the Data Subject’s complaint within forty five (45) of receipt of the complaint;
- the right to a cost-free independent dispute resolution mechanism to address non-HR related privacy complaints, which for CLINIPACE if the complaint remains unresolved by CLINIPACE;
- the right to complain to the applicable data protection authority in the Data Subject’s country of origin or the FTC for data privacy concerns, if the complaint remains unresolved by CLINIPACE; and
- the ability to invoke binding arbitration in accordance with the rules set forth under Annex 1 of the Data Shield Framework to address any complaint regarding a violation of CLINIPACE’s obligations under the Data Shield Principles if the Data Subject’s complaint has not been resolved by any of the other means described above.
If the Data Subject has invoked binding arbitration, CLINIPACE will follow the rules set forth in Annex 1 of the Data Shield Framework.
Please refer to the applicable CLINIPACE Information Notice for more information on how Data Subjects can submit privacy complaints.
CLINIPACE Consequences for Non-Compliance
- CLINIPACE is potentially liable if a third party acting as an agent on CLINIPACE’s behalf transfers or processes Personal Data in violation of the Principles.
- If CLINIPACE becomes subject to an FTC or court order based on non-compliance, CLINIPACE shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
- CLINIPACE may be subject to monetary damages if the Data Subject is awarded damages under binding arbitration.
- CLINIPACE may be subject to sanctions or exclusion from participating in the US-EU Privacy Shield program if the Department of Commerce deems the violation warrants such sanctions or exclusion. If CLINIPACE is excluded from participating in the US-EU Privacy Shield Program, CLINIPACE may be required to return or delete the Personal Data it received under the US-EU Privacy Shield.
HR Data Supplemental Principles.
The US-EU Privacy Shield provides additional principles with respect to HR Personal Data (“HR Principles”). CLINIPACE agrees to adhere to the HR Principles as outlined below.
Coverage by the Privacy Shield
CLINIPACE agrees that before transfers of European HR Personal Data to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield are made that CLINIPACE will ensure that 1) the collection and/or processing of the HR Personal Data prior to transfer was done in accordance with national laws of the country in the European Union where it was collected, and 2) any conditions for or restrictions on its transfer according to those laws are respected.
Application of the Notice and Choice Principles
- CLINIPACE may disclose European HR Personal Data of its employees and contractors it to third parties or use it for different purposes than the purpose indicated from the original collection of the HR Personal Data, but only if CLINIPACE provides the affected Data Subjects with adequate notice and choice purpose (in accordance with the Principles) to transfer and/or use the HR Personal Data for a new purpose.
- CLINIPACE’s desired new use must not be incompatible with the original purposes for which the HR Personal Data has been collected or subsequently authorized by the Data Subject. Notice and choice requirements to the employee/contractor Data Subject is not required to the extent and for the period necessary to avoid prejudicing the ability of CLINIPACE to make decisions on promotions, appointments, or other similar employment decisions.
- CLINIPACE may not restrict employment opportunities or take any punitive action against any of its employee/contractor Data Subjects if the Data Subject does not consent to the new use or transfer. Upon written request, CLINIPACE will make reasonable efforts to accommodate employee/contractor Data Subject privacy preferences.
- CLINPACE acknowledges that certain generally applicable conditions for transfer of HR Personal Data from some European Member States may preclude other uses of such HR Personal Data even after transfer outside of the European Union.
Application of the Access Principle
CLINIPACE will comply with local regulations with respect to the Processing of HR Personal Data and shall ensure that European Union employee/contractor Data Subjects have access to HR Personal Data, if such access is required by law in their home countries, regardless of the location of data processing and storage.
- CLINIPACE understands that the primary responsibility for European HR Personal Data remains with the organization residing in Europe.
- CLINIPACE shall refer European employee/contractor Data Subjects to the local Data Protection Authority where he/she works when the Data Subject is not satisfied with CLINIPACE’s handling of his/her HR Personal Data complaint or the end result of the complaint.
- CLINIPACE agrees to cooperate with competent EU authorities in its investigations regarding the Processing of HR Personal Data by and will comply with the advice of such competent EU authorities.
Application of the Accountability for Onward Transfer Principle
CLINIPACE acknowledges that HR Personal Data transfers to a third party Controller for occasional employment-related operational needs (i.e. booking a flight, hotel room, or insurance coverage) or transfers involving of a small number of employees can take place without having to grant access under Section 8(c) or entering into a contract with the third-party Controller, as long as CLINIPACE adheres to the notice and choice requirements under Section 8(b).