Revised: February 14, 2021
1.2 About Us. We are a nonprofit corporation performing services on a worldwide basis related to clinical trial projects involving a variety of diseases. Among other services, we train project members, develop study protocols, collect, analyze and manage project-related data, and generate reports. We also develop and offer software-based solutions for research, healthcare and other applications, including data management systems as well as one or more mobile applications.
1.3 Our Third Party Associates. We rely on our relationships with various Associates (defined below) to conduct our business. In this Policy, “Associates” will mean third parties with whom we conduct business for our business purposes, including:
(a) any affiliates that control us, that we control, or that are under common control with us, such as our parents, subsidiaries and sister entities;
(b) any third parties to whom we provide products, services or data, such as clinical trial sponsors (“Trial Sponsors”), collaborators, advertisers and marketing agencies;
(c) any third parties who provide us with data or information for us to analyze or process, such as clinical research organizations (“CROs”) as well as the owners and operators of the facilities where clinical trials occur (“Clinical Facilities”); and
(d) service providers who provide or license products, services or data to us, such as customer support providers, credit card and payment processors, order fulfillment providers, market and data analyzers, product developers, real estate owners and managers, event managers, publishers, website hosts, providers of communication systems (such as phone, text and email systems), providers of information technology systems (such as databases and data servers), online platform providers, information technology consultants, business advisors, auditors, accountants and attorneys.
1.4 Our Marketing Channels. We may use one or more Marketing Channels (defined below) to collect your Sensitive Information (defined in Section 3.1). In this Policy, “Marketing Channels” will mean resources used by us or our Associates to receive or collect information, including the following resources:
(b) any other websites, ecommerce stores, servers, online portals, web portals, mobile applications and electronic user interfaces;
(c) any social media pages, HTML-formatted email messages and direct messages;
(d) phones, computers, communication devices, web cameras and representatives receiving your written, oral, telephonic and video communications;
(e) any brick-and-mortar facilities (such as laboratories, health research centers, medical clinics, offices and other buildings) as well as any cameras, beacons, sensors and other tracking equipment located at such facilities;
(f) any means for personal interaction or observation, such the collection of survey results from you when you are located at such facilities; and
(g) surveys, forms and other materials used to document your answers, feedback or behavior at such facilities.
1.5 Mobile App Privacy. This Policy applies to Sensitive Information we receive through all of our various Marketing Channels. If we receive Sensitive Information through a mobile app that we own or operate, the related app license agreement or end user license agreement may provide information about how the app collects and uses such Sensitive Information. If the app collects and sends such Sensitive Information to others, such agreement may describe that process as well. Therefore, to fully understand the privacy of any Sensitive Information collected by any of our mobile apps, please review the applicable license agreement as well as this Policy. You may find our app license agreements at our website identified in Section 1.4(a) or at the mobile app marketplace where the app is available for downloading.
1.7 Non-Limiting Words. In this Policy, we use the words “including,” “includes,” and “such as” in a non-limiting fashion.
2. Laws and Regulations
2.1 Research & Health Privacy Regulations. In this Policy, the term “Research & Health Privacy Regulations” will mean all foreign, international, domestic, federal, state and local laws, ordinances, regulations and orders relating to health, medical, patient, research or clinical information to the extent such laws, ordinances, regulations and orders apply to our services or operations, including: (a) the regulations promulgated pursuant to the Health Information Portability and Accountability Act of the United States (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of the United States (HITECH); (b) 45 CFR Part 46, the United States Federal Policy for the Protection of Human Subjects, also known as the Common Rule, (c) FDA regulations under Title 21 of the Code of Federal Regulations relating to good clinical practice and clinical trials; (d) the good clinical practice guidelines issued by the International Council for Harmonisation ; and (e) any and all amended versions of the foregoing, as may be enacted from time to time.
2.2 Applicable Laws. In this Policy, the term “Applicable Laws” will mean all foreign, international, domestic, federal, state and local laws, ordinances, regulations and orders applicable to us or our operations, including: (a) the Research & Health Privacy Regulations, the California Consumer Privacy Act, the Stop Hacks and Improve Electronic Data Security Act of New York, and the General Data Protection Regulation of the European Union ((EU) 2016/679); (b) all other laws and regulations relating to the privacy, security, protection, possession, use, processing, marketing or sale of information or data; and (c) any and all amended versions of the foregoing, as may be enacted from time to time.
3. Sensitive Information
3.1 Broader Scope. This Policy applies to personal information, as described in the Privacy Notice, as well as Identifiable Health Information (defined in Section 3.2) and Personal Data (defined in Section 13.2). In this Policy, “Sensitive Information” will mean information (including Identifiable Health Information and Personal Data) that: (a) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household; (b) includes or contains any element of personal identifying information sufficient to allow you to be identified; or (c) is otherwise regulated or restricted pursuant to any of the Applicable Laws.
3.2 Identifiable Health Information. This Policy applies to all medical, health and clinical trial information that identifies you or with respect to which there is a reasonable basis to believe the information can be used to identify you (“Identifiable Health Information”).
3.3 Research and Clinical Trials. We provide data management and analysis for clinical trial and research projects in a variety of disease settings throughout the world. If you are a participant in or subject of a clinical trial or other research study, we may receive your Sensitive Information from Trial Sponsors, CROs or health care providers affiliated with Trial Sponsors or CROs, such as Clinical Facilities. We receive this Sensitive Information in a form that is a pseudonymized, anonymized or de-identified version of your Identifiable Health Information.
3.4 Deidentified Information and Aggregate Consumer Information. Deidentified Information (defined below) and Aggregate Consumer Information (defined below) are not Sensitive Information. We may create Deidentified Information and Aggregate Consumer Information by removing identifiers from your Sensitive Information and satisfying the other requirements of Applicable Laws. For example, if your username were janedoe99, we may collect the following information: janedoe99 clicked a particular bicycle advertisement three times while located in New York City on April 23rd of a particular year. We may remove “janedoe99” and satisfy the other requirements of Applicable Laws in order to create Deidentified Information or Aggregate Consumer Information.
3.5 In this Policy, “Deidentified Information” will mean information that does not identify you, does not reasonably provide a basis to identify you, and cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to you, provided that the user of such information:
(a) has implemented technical safeguards that prohibit reidentification of you;
(b) has implemented business processes that specifically prohibit reidentification of the information;
(c) has implemented business processes to prevent inadvertent release of deidentified information; and
(d) makes no attempt to reidentify the information.
3.6 In this Policy, “Aggregate Consumer Information” will mean information that relates to a group or category of consumers, from which individual consumer identities (including your identity) have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device, and that does not identify you or reasonably provide a basis to identify you.
4. No Sale of Your Sensitive Information
4.1 We do not, and will not, sell any of your Sensitive Information.
4.2 When companies perform market research for their products and services, they often rely on data that describes the shopping and buying activities of a consumer population. We may supply to these companies or other third parties, Deidentified Information not derived from Identifiable Health Information or Aggregate Consumer Information not derived from Identifiable Health Information. In exchange for supplying this type of Deidentified Information or Aggregate Consumer Information to third parties, we may receive payments or other monetary or valuable consideration.
5. How We Collect Your Sensitive Information
5.1 Collection Methods
We may collect your Sensitive Information in a variety of ways, such as by:
(b) receiving information you have provided to us via phone, text, email, electronic message, online form submission or other communications;
(c) receiving your information from our Associates for our purposes of performing data management and analysis for clinical trials;
(d) receiving information from our Associates who have shared with us, the information you have made publicly available, such as photos, videos and content you have posted on publicly-available social media platforms;
(e) communicating with you in-person; and
(f) photographing or video recording you when you visit any brick-and-mortar facilities of our Marketing Channels.
5.2 Notifications and Consents
To the extent we collect your Identifiable Health Information, applicable Research & Health Privacy Regulations may require us to provide you with an additional notification or obtain an additional consent from you. In such event, we will provide such notification and obtain such consent before collecting the applicable Identifiable Health Information.
6. The Categories of Your Sensitive Information We May Access or Collect
The following table lists the categories of your Sensitive Information that we may access or collect for our business purposes:
|Categories of Sensitive Information||Examples of Sensitive Information|
|Identifiers (if you chose to provide them)||Your name, unique personal identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, state identification card number, passport number, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, and any other of your financial information, medical information, or health insurance information.|
|Characteristics of Protected Classes (if you chose to provide them)||Your race, color, national origin, religion, gender (including pregnancy), disability, age and citizenship status.|
|Commercial Information (if you chose to provide it)||Your records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|Biometric Information (if you chose to provide it)||Photos, videos and images of you, including your face, eyes, fingerprints and voice.|
|Network Activity and Device Information||Your device, browser, internet or other electronic network activity information, including browsing history, search history, information regarding your interaction with an internet website, application, or advertisement, network routing information (where you came from), date/time stamps, clickstream information (when a webpage was visited and how much time was spent on the webpage), device information, browser type, Internet Protocol (IP) address (which may identify your general geographic location), referring/exit webpages, and number of visitors, views, and interactions.|
|Geolocation Data (if you chose to provide it)||Your general geographic location and your Internet Protocol (IP) address, which may identify your general geographic location.|
|Audio and Visual Information (if you chose to provide it)||Your audio, electronic, visual, thermal, olfactory, or similar information, including voices, sounds, photos and videos of you.|
|Professional Information (if you chose to provide it)||Your professional or employment-related information.|
|Education Information (if you chose to provide it)||If you are a student, your education information, personally identifiable information and directory information, such as education records, report cards, transcripts, disciplinary records, contact and family information, and class schedules.|
|Inferred Profile Information||Inferences drawn from any of the information described in this table to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.|
|Identifiable Health Information (if you chose to provide it)||Your Identifiable Health Information, including medical records.|
|Financial Information (if you chose to provide it)||Your financial information, including income, account bank balances, payment history, credit history and credit scores.|
7. The Categories of the Sources of Your Sensitive Information
We may obtain your Sensitive Information from the following categories of sources:
|Categories of Sources||Description|
|You||We may collect the content, communications and Sensitive Information you send or provide when you use our products, services or Marketing Channels.|
|Other People||We may receive your Sensitive Information from people who use our products or services, such as when people share or comment on a photo or video of you, send a message to you, or upload, sync, or import your contact information.|
|Our Associates||We may receive your Sensitive Information from our Associates. Our Associates may collect your Sensitive Information from you or your devices in accordance with their privacy policies and Applicable Laws. For example, our Associates may use Internet-based software that connects or links to our products, services or Marketing Channels. This may enable our Associates to collect your Sensitive Information.|
8. Our Purposes for Using Your Sensitive Information
8.1 The Research & Health Privacy Regulations may restrict our right to use, keep and disclose Identifiable Health Information, and the Research & Health Privacy Regulations may require us to comply with certain confidentiality obligations regarding Identifiable Health Information. We will comply with the Research & Health Privacy Regulations with respect to our security, use, possession and disclosure of Identifiable Health Information.
8.2 Unless prohibited by applicable Research & Health Privacy Regulations, we may collect, use, keep and share your Sensitive Information if doing so is necessary for us or our Associates to conduct any of the following activities (“Necessary Purposes”):
|Your Transaction||This includes completing the transaction for which your Sensitive Information was collected, provide a good or service that is requested by you or is reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between us and you.|
|Security||This includes detecting security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.|
|Repairs||This includes debugging to identify and repair errors that impair existing intended functionality.|
|Free Speech||This includes exercising free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.|
|California Electronic Communications Privacy Act||This includes complying with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code, or comply with a similar law of another State.|
|Research In The Public Interest||This includes engaging in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of your Sensitive Information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.|
|Internal Uses as You Expect||This includes enabling solely internal uses that are reasonably aligned with your expectations based on your relationship with us;|
|Complying with Law||This includes complying with a legal obligation.|
|Internal Uses in Context||This includes otherwise using your Sensitive Information, internally, in a lawful manner that is compatible with the context in which you provided the Sensitive Information.|
8.3 Unless prohibited by applicable Research & Health Privacy Regulations, we may use, keep and share your Sensitive Information for the following additional purposes:
|Marketing Activities||This includes planning and performing the marketing activities for our products, services and Marketing Channels.|
|Product/Service Improvement||This includes evaluating, improving, researching and developing our products, services and Marketing Channels.|
|Personalizing||This includes personalizing our products, services and Marketing Channels for you, such as by displaying advertisements that align with your unique interests.|
|Notifying You (until you opt-out)||This includes notifying you about new releases, alerts, updates, prices, terms, offers, or developments regarding our products or services.|
|Your Testimonials (with your consent)||This includes posting testimonials in our Marketing Channels if you have given us consent for the testimonials.|
|Tell a Friend (with your approval)||This includes contacting your friend for any referral or “tell a friend” feature that you have approved.|
|Safety||This includes protecting, as we determine necessary or appropriate, the health, safety, security or privacy of our employees, agents, visitors and Marketing Channels.|
|Corporate Transactions||This includes transferring or supplying a copy of your Sensitive Information to a third party that acquires any portion of our business, assets, stock or equity in connection with a reorganization, merger, sale, joint venture, contractual assignment, transfer or other transaction, including any bankruptcy or similar proceeding.|
|Complying with Authorities||This includes acting, as we determine appropriate, to: (a) comply with Applicable Laws, including laws outside your country of residence; and (b) respond to requests from law enforcement authorities and public and government authorities, including those authorities outside your country of residence.|
|Other Business Purposes||This includes our other business purposes.|
9. The Categories of Third Parties Who May Receive Your Sensitive Information
9.1 Unless prohibited by applicable Research & Health Privacy Regulations, we may disclose your Sensitive Information to the following categories of third parties:
|Categories of Sources||Description|
|Connected People and Businesses||This includes people and businesses that own or operate apps, websites, products and services that are connected to our products, services or Marketing Channels.|
|Associates||This includes our Associates involved with our business purposes.|
|Law Enforcement Agencies||This includes law enforcement agencies concerning activity that that we reasonably, and in good faith, believe may violate federal, state, or local law.|
|Others Permitted by Applicable Law||This includes other third parties permitted to receive your Sensitive Information in accordance with Applicable Laws.|
9.2 Unless prohibited by applicable Research & Health Privacy Regulations, based on your voluntary conduct, third parties may receive your Sensitive Information, such as:
(a) people and businesses to whom you share your Sensitive Information; and
(b) people and businesses who receive your Sensitive Information from those who originally received it from you.
10. Privacy Policies of Third Parties
Our Marketing Channels may provide links to or the ability for you to connect with resources owned or controlled by third parties, such as third party websites, services, social networks and mobile applications. Some of these resources may be integrated into our products, services or Marketing Channels. Clicking on these resources or enabling these connections may enable the applicable third party to collect or share parts of your Sensitive Information. These third party resources are beyond our control. We encourage you to check the privacy policies of these third party resources before providing your Sensitive Information to them.
11. How to Control Your Preferences
11.1 Opt-Out Settings. We may enable you to opt-out of, decline or disable certain features that involve the use of your Sensitive Information. For example, we may enable you to select a setting to opt out of marketing emails and messages by modifying your user profile or using our unsubscribe link.
11.3 Blocking of Advertisements. Your browser may enable you to block advertisements. However, doing so may degrade the functionality of our products, services and Marketing Channels.
12. California Residents
12.1 If you are a California resident, you can learn more about your consumer privacy rights by reviewing our Privacy Notice.
12.2 Under California Civil Code Section 1798.83 (also known as Information-Sharing Disclosure, Shine the Light), if you are a California resident and your business relationship with us is primarily for personal, family, or household purposes, you may request certain data regarding our disclosure, if any, of Sensitive Information to third parties for the third-parties’ direct marketing purposes. To make such a request, use our contact page, and state “Legal Matter” in the subject line. You may make such a request up to once per calendar year. In accordance with California Civil Code Section 1798.83, we will provide to you, by e-mail, a list of the categories of Sensitive Information disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, along with the third parties’ names and addresses and any other information required by California Civil Code Section 1798.83.
13. European Union Residents
13.1 GDPR. If you are a resident or citizen of a member-country of the European Union, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) may provide you with certain rights beyond the rights stated elsewhere in this Policy. For information about the GDPR, you may visit https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.
13.2 GDPR Definitions. Pursuant to the GDPR, the following capitalized terms will have the following definitions, as used in this Section 13:
“Data Subject” will mean an identified or identifiable natural person, which includes one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data” will mean any information relating to a Data Subject.
“Processing” will mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Pseudonymisation” or “Pseudonymized” will mean: (a) the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person; or (b) Personal Data that has undergone such processing.
“Special Categories of Personal Data” will mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
13.3 When GDPR Applies. This Section 13 applies to you if you are located in the European Union while we collect or process your Personal Data or if you were located in the European Union while we collected or processed your Personal Data. This Section 13 applies to such Personal Data regardless of the Marketing Channel used to collect or process such Personal Data.
13.4 Our Role; Clinical Projects.
13.4.1 Data Processor and Joint Controller. For clinical trial and research projects, we are a data processor of Personal Data regulated by the GDPR. In a limited number of these projects, we are also a joint controller of Personal Data regulated by the GDPR.
13.4.2 Clinical Project Purposes. We process Personal Data related to clinical trial and research projects for purposes that include: (a) scientific discovery, hypothesis generation, statistical reporting, summarization of results, exploratory, scientific and other analysis, reanalysis, publication, reproduction of published findings, presentation, and quality checks; and (b) the management, coordination and conduct of these projects.
13.5 Notification. The provisions and information in this Section 13 will be considered our notice to you regarding the GDPR and your related rights.
13.6 GDPR Representative. As an organization located within the United States, we have appointed our GDPR Representative (defined in Section 13.16.1) for purposes of liaising with: (a) you if you want to raise a question to us, or otherwise exercise your rights in respect of your Personal Data; and (b) Data Protection Authorities (DPAs). Section 13.16 provides our contact information and the contact information of our GDPR Representative.
13.7 Personal Data We Collect. The Personal Data we collect about you may include Pseudonymized clinical trial subject data as well as your name and contact information, such as your email address, mailing address and phone number.
13.8 Consent for Special Categories of Personal Data. The Pseudonymized data we process may contain Special Categories of Personal Data. We may collect and process this type of data after obtaining your explicit consent for one or more specified purposes. This consent may be obtained and managed by us, our Associates, such as our Trial Sponsors, the CROs or the Clinical Facilities. In addition, only the necessary information is collected in accordance with our contract with the applicable Trial Sponsor.
13.9 How We Collect and Process Personal Data. We may collect and process your Personal Data in the ways described in this Section 13.9.
13.9.1 Via Our Data Management Systems. If you consent to being a clinical trial subject, we may collect pre-determined Personal Data directly or through our Trial Sponsor or the applicable CRO or Clinical Facility. Our Associates may enter the Personal Data into our data management systems, which will generate data sets. We may collect only the pre-determined information necessary to allow us to fulfill our obligations under our contract with the applicable Trial Sponsor.
13.9.2 Via Contracts and Agreements with Associates. We may collect your Personal Data that is present in contracts and agreements with our Associates. We will archive these contracts and agreements in secured and access-controlled electronic or physical file systems.
13.9.3 Via Telecommunications (phone, computer and email). We may collect your Personal Data through your direct communications with us, such as by telephone, email or via our portal website.
13.10 Legal Basis for Processing Personal Data.
13.10.1 We may process your Personal Data pursuant to one or more of the following legal bases in accordance with the applicable provisions of the GDPR:
|Consent||Our obtaining of the Data Subject’s consent|
|Contract Performance (including our contracts with Trial Sponsors, CROs, Clinical Facilities and other Associates)||Our performance of a contract between the Data Subject and us|
|Legally Necessary||Necessary for our compliance with a legal obligation|
|Vital Interests of the Data Subject||Necessary to protect the vital interests of the Data Subject|
|Public Interest/Official Authority||Necessary for our performance of a task carried out in the public interest or in the exercise of official authority|
|Legitimate Interests||Our legitimate interests except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data|
13.10.2 Pursuant to the one or more of the following legal bases under the GDPR, we may process your Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data that uniquely identifies a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation:
|Consent||Our obtaining of the Data Subject’s explicit consent to the processing of such Personal Data for one or more specified purposes|
|Vital Interests of the Data Subject||Necessary to protect the vital interests of the Data Subject|
|Legitimate Interests||Carried out in the course of our legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that such Personal Data is not disclosed outside that body without the consent of the applicable Data subject.|
|Data Subject’s Disclosure||Data Subject publicly disclosed such Subject Data|
|Legal Claims||Necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity|
|Substantial Public Interest||Necessary for reasons of substantial public interest|
|Medical||Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems|
|Public Health||Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices|
|Archival, Research & Statistics||Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
|Other GDPR bases||Other bases provided in the GDPR|
13.11 Transfers of Personal Data. To the extent we transfer any Personal Data from any country that is a member state of the European Union to any other country, we will satisfy the conditions required for such transfer under the GDPR and other Applicable Laws and, as applicable, contractual data processing principles. For example, depending on the circumstance, we may implement any of the following measures to satisfy such conditions: (a) appropriate safeguards to protect such Personal Data, including binding corporate rules, standard data protection clauses, an approved code of conduct, an approved certification mechanism, or any other measure set forth in the GDPR, provided that, in each such case, we will implement the applicable measure in accordance with the requirements of the GDPR; or (b) a procedure or measure to confirm that such transfer is necessary or has been explicitly consented to by the applicable Data Subject, that such the transfer is not repetitive, concerns only a limited number of Data Subjects, is necessary for the purposes of compelling legitimate interests pursued by us, and that we have satisfied the additional requirements set forth in the GDPR.
13.12 Sharing of Personal Data. We will not share your Personal Data with parties except to the extent the applicable contract or agreement or your informed consent permits us do so. If a third party has access to study data that contains your Personal Data, such party will be bound by the applicable contract to abide by data privacy requirements.
13.13 Personal Data Retention Period. We will collect, process and store your Personal Data in accordance with all domestic and international laws and regulations, including the specific requirements of the GDPR, where applicable. We strive to keep your Personal Data we hold safe, with integrity and not for longer than necessary, pursuant to contract terms, Applicable Laws and regulations, and for audit purposes.
13.14 Data Subject Rights Under GDPR.
13.14.1 At any point while we are in possession of, or processing your Personal Data, you (the Data Subject) will have the following rights under the GDPR:
|Right of Access||You will have the right to request a copy of the Personal Data that we hold about you.|
|Right of Rectification||You will have the right to correct Personal Data that we hold about you that is inaccurate or incomplete.|
|Right to be Forgotten||In certain circumstances, you may ask for the Personal Data we hold about you to be erased from our records.|
|Right to Restriction of Processing||When certain conditions apply, you will have the right to restrict the processing of your Personal Data.|
|Right of Portability||You will have the right to have the Personal Data we hold about you transferred to another organization.|
|Right to Object||You will have the right to object to certain types of processing of your Personal Data.|
|Right to Object to Automated Processing (including profiling)||You will have the right to object to being subject to the legal effects of automated processing or profiling involving your Personal Data.|
13.14.2 The rights described in Section 13.14.1 differ depending upon applicable exceptions under the GDPR. We will notify you in connection with correction or deletion or restriction of processing, unless impossible or disproportionately difficult. These rights are not absolute, and we may be entitled to refuse requests where exceptions apply. If we determine that you are not entitled to exercise any of these rights, we will provide you with the reasons for the denial. Nevertheless, you will have the right to complain by sending a notice to us as provided below in Section 13.16.
13.14.3 The erasure of your Personal Data may also be subject to our records retention policy. If, pursuant to the GDPR, we are legally required or permitted to retain your Personal Data for a certain period of time, we will do so in accordance with our legal permissions or obligations, as the case may be.
13.15 Information about the Personal Data We Hold. At your request, we may provide information related to the Personal Data we hold about you and how it is processed. You may request the following information:
(a) Information about how and why your Personal Data is processed.
(b) The contact information of our Data Protection Officer.
(c) Our legitimate purpose basis for processing your Personal Data.
(d) The categories of your Personal Data collected, stored and processed.
(e) Recipients to whom your Personal Data is being, will be, or may be disclosed.
(f) Security of the transfers of your Personal Data, if needed.
(g) Data retention period.
(h) Details of your rights to correct, erase, restrict or object to our processing of your Personal Data.
(i) Information about your right to withdraw your consent at any time.
(j) Information about how to submit a complaint to the supervisory authority of your member state of the European Union.
(k) Information about the party that provided us with your Personal Data, if it was not collected directly from you.
13.16 How to Submit a Request or Notice.
13.16.1 Our GDPR Representative’s Contact Information. Because we are located in the United States, we have appointed Data Protection Representative Limited (trading as DataRep) (“GDPR Representative”) to accept your requests and notices, including any complaint.
(a) To email our GDPR Representative, please send your email as follows:To: firstname.lastname@example.org
Subject Line: Frontier Science
(b) To contact our GDPR Representative through our GDPR Representative’s website, please submit the website form at www.datarep.com/data-request.
(c) To mail our GDPR Representative, please use one of the following mailing addresses set forth in the table below. When mailing inquiries, you must mark your envelopes for “DataRep” and not “Frontier Science” to ensure DataRep receives your inquiry. In your letter, please clearly refer to Frontier Science.
|Austria||DataRep, City Tower, Bruckenkopfgasse 1/6. Stock, Graz, 8020, Austria|
|Belgium||DataRep, Place de L'Universite 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium|
|Bulgaria||DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria|
|Croatia||DataRep, Ground & 9th Floor, Hoto Tower, Sayska cesta 32, Zagreb, 10000, Croatia|
|Cyprus||DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus|
|Czech Republic||DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Morayska, Ostrava, Czech Republic|
|Denmark||DataRep, Lautruphoj 1-3, Ballerup, 2750, Denmark|
|Estonia||DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia|
|Finland||DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland|
|France||DataRep, 72 rue de Lessard, Rouen, 76100, France|
|Germany||DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany|
|Greece||DataRep, 24 Lagoumitzi str, Athens, 17671, Greece|
|Hungary||DataRep, President Centre, Kalman Imre utca 1, Budapest, 1054, Hungary|
|Iceland||DataRep, Kalkofnsvegur 2, 101 Reykjavik, Iceland|
|Ireland||DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland|
|Italy||DataRep, BPM 335368, Via Roma 12, 10073 , Cirie TO, Italy|
|Latvia||DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia|
|Liechtenstein||DataRep, City Tower, Bruckenkopfgasse 1/6. Stock, Graz, 8020, Austria|
|Lithuania||DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania|
|Luxembourg||DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg|
|Malta||DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta|
|Netherlands||DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands|
|Norway||DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway|
|Poland||DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland|
|Portugal||DataRep, Torre de Monsanto, Rua Afonso Praca 30, 7th floor, Alges, Lisbon, 1495-061, Portugal|
|Romania||DataRep, 15 Piaa Charles de Gaulle, nr. 1-T, Bucure§ti, Sectorul 1, 011857, Romania|
|Slovakia||DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia|
|Slovenia||DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia|
|Spain||DataRep, BPM 335368, Avd. Castilla La Mancha N° 70-1 (Nave A), 45270, Mocejon-Toledo, Spain|
|Sweden||DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden|
|United Kingdom||DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom|
13.16.2 Our Contact Information. Our contact information is as follows:Frontier Science & Technology Research Foundation, Inc.
GDPR Compliance Team
4033 Maple Road
Amherst, New York 14226, USA
Tel: 1 (833) 343-1515
13.16.3 Correspondence. If you wish to submit any request or notice to exercise any of your rights under the GDPR or this Section 13, you may either contact us directly or through our GDPR Representative, in each case, as provided above in this Section 13.16. In the subject line or introduction of your correspondence, please state “Frontier Science – GDPR.”
13.17 Incident Notification. The Personal Data we hold is subject to rigorous measures and procedures to minimize the risk of the unauthorized access or disclosure of your Personal Data. However, we or our Trial Sponsor will contact you if such event occurs.
13.18 Complaints. You will have the right to submit a complaint with us through the contact method described in Section 13.16. Also, you will have the right to submit a complaint about us directly to the applicable supervisory authority, using the information posted at the following URLs: (a) European Data Protection Board – https://edpb.europa.eu/; and (b) Complaint process map – https://iapp.org/media/pdf/publications/GDPR-tool-print.pdf.
14. Financial Privacy Laws
We may enter into a contract with you that involves our receipt of Sensitive Information that includes your financial information. Your financial information may be protected under Applicable Laws, such as the Privacy of the Gramm–Leach–Bliley Act (Public Law No. 106-102) and the Privacy Regulations and related implementing regulations, and the standards for safeguarding customer information set forth in 12 CFR Part 364 and 16 CFR Part 314. These laws may provide certain provisions regarding such contract, the handling of your financial information, your rights, and the procedures we must follow. These laws may require that we give you certain financial privacy notices beyond the notices in this Policy. We will comply with these laws.
15. How to Request Opt-Outs, Corrections, Deletions and Copies
15.1 You may have the ability to update your account profile and related Sensitive Information by logging in to your user account and following the prompts to update your profile.
15.2 Also, you may provide us with a request to: (a) obtain a copy of your Sensitive Information in our possession; (b) correct or delete any such Sensitive Information; or (c) change how we collect or use your Sensitive Information. In your request, please make clear the specific pieces of Sensitive Information you would like to have changed or deleted from our databases. To submit a request under this Section, state “Legal Matter” in the subject line of your request, and send your request through our contact page or by writing or emailing us at the following address:Frontier Science & Technology Research Foundation, Inc.
4033 Maple Road
Amherst, New York 14226, USA
15.3 For security purposes, we may require identity verification before processing your request.
15.4 We will respond to your request within a reasonable timeframe and in accordance within the requirements, frequency and timing specified by Applicable Laws. We may decline part or all of your request as permitted by Applicable Laws. For example, we may decline to delete your Sensitive Information if Applicable Laws permit us to retain it for Necessary Purposes or other business purposes. In such cases, we will let you know the reason for the decline.
16. Cross Border Transfers/Storage
We might offer our products, services or Marketing Channels on a worldwide basis and might rely upon the services or facilities of our Associates located in the United States and other countries throughout the world. In accordance with Applicable Laws, we may transfer your Sensitive Information to countries outside of the United States where it may be stored and processed for the uses described in this Policy. You hereby consent to the transfer of your Sensitive Information to countries outside of your country of residence, which may have different data protection rules than those of your country.
17. How Long We May Keep Your Sensitive Information
17.1 Unless prohibited by applicable Research & Health Privacy Regulations, we may retain your Sensitive Information until we no longer have Necessary Purposes or other business purposes to keep your Sensitive Information (“Retention Period”).
17.2 Unless prohibited by applicable Research & Health Privacy Regulations, at the end of the Retention Period or when you delete your user account, whichever comes first, we may permanently destroy, erase, delete, encrypt or disable access to your Sensitive Information in a manner designed to ensure that it cannot be reconstructed or read. You will not be able to recover such Sensitive Information later.
18. Security of Your Sensitive Information
The security of your Sensitive Information is very important to us. Directly or through our Associates, we use physical, technical, and administrative safeguards designed to protect your Sensitive Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, we cannot warrant the security of any Sensitive Information that you send us. There is no guarantee that your Sensitive Information will not be unlawfully accessed or destroyed by a hacking incident, cyberattack or other breach of our physical, technical or administrative safeguards.
19. Policy Updates
We may update this Policy from time to time. The date provided at the beginning of this Policy is the latest revision date of this Policy. To request a prior version of this Policy, please contact us.
© Frontier Science & Technology Research Foundation, Inc.