|1||At Bioclinica, Personal Data is collected, used, retained, and shared in a transparent and secure manner with an emphasis on respect and protection of the Data Subject and compliance with applicable data protection laws and regulations.|
|2||At Bioclinica, requests made by Data Subjects about their Personal Data are respected and responded to in a timely manner.|
|3||At Bioclinica, Processors and Controllers that are working on behalf of Bioclinica are held accountable to the same standards as described in this Policy.|
Scope and Applicability
This Policy covers all Personal Data Processed by Bioclinica in a role as either Processor or Controller and applies to all Bioclinica’s legal entities and their respective employees (permanent and temporary), secondees, and Staff Augmentation worldwide.
|Anonymization||The process by which Personal Data is irreversibly stripped of all identifiers and can no longer be linked back to a Data Subject. Once this action is done, the data is no longer considered Personal Data.|
|Consent||A freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of his or her Personal data.|
|Controller||The Data Controller determines the purposes and means of Processing the applicable Personal Data.|
|Data Privacy Breach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.|
|General Data Protection Regulation (GDPR)||European Union Regulation 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.|
|Data Subject||Any natural person whose Personal Data is being Processed.|
|Personal Data||Any information about an identified or identifiable Data Subject or household (including but not limited to employees, patients, or website users). Personal Data may include the following (subject to applicable data protection laws and regulations):|
▪ A Data Subject’s name, address and telephone number
▪ The professional education and prescribing practices of a healthcare professional
▪ The email address and other identifying information provided by someone visiting a Bioclinica website
▪ Keycoded trial participant identifier
(or any variation thereof)
|Any operation or set of operations performed upon Personal Data. This definition includes, but is not limited to, collection, recording, organization, storage, retrieval, use, disclosure, anonymization, pseudonymization or deletion.|
|Processor||The natural or legal person responsible for the Processing of Personal Data on behalf of a Controller.|
|Pseudonymization||Replacing a Data Subject’s name and most other identifying characteristics with a label, code or other artificial identifiers in order to protect against the identification of the Data Subject. The identification can be made by using additional information kept separately from the Pseudonymized Personal Data.|
|Personal Data about a Data Subject’s:|
▪ Medical or health conditions (physical or mental)
▪ Financial information
▪ Racial or ethnic origin
▪ Political opinions
▪ Religious or philosophical beliefs
▪ Trade-union membership
▪ Sex life or sexual orientation
SPI may also be referred to as “Special Category Data.”
|Staff Augmentation||Any natural person who is (a) authorized to Process Personal Data on basis of a contract with Bioclinica for the performance of services for Bioclinica and/or its customers and (b) is required to comply with Bioclinica’s data protection policies and procedures in the performance of such services, including this Policy.|
Any natural person meeting the description above is working according to this Policy and will not be required to enter into a separate Data Processing Agreement with Bioclinica.
|Third Party||Any natural or legal person, public authority, agency or body, other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or the Processor, are authorized to Process the Personal Data. Bioclinica legal entities also are considered a Third Party if those legal entities are not authorized to Process the Personal Data under the direct authority of the Controller or the Processor.|
Principles and Rules
Collecting and Using Personal Data
One of the key principles of Data Privacy requires Bioclinica to only Process Personal Data in a fair, lawful and transparent manner.
The following principles apply to the collection and use of Personal Data (see the specific requirement regarding Processing of Sensitive Personal Data (SPI) below):
- Processing of Personal Data (including its collection and use) will only take place when there is a purpose and legal basis for it. The legal justification should always be in place and documented before the collection and use of Personal Data. Below is a list of legal justifications:
- Consent: The Processing of Personal Data is performed based on a documented and freely given Consent from a Data Subject.
- Contract: The Processing of Personal Data is performed in accordance with a contract with a Controller or in order to take steps at the request of a Data Subject prior to entering into a contract.
- Legal obligation: The Processing of Personal Data is necessary to comply with current legislation (not including contractual obligations).
- Vital interests: The Processing of Personal Data is necessary to protect someone’s life.
- Public task: The Processing of Personal Data is necessary to perform a task in the public interest, and the task or function has a clear basis in law.
- Legitimate interests: The Processing of Personal Data is necessary for legitimate interests of Bioclinica or a Third Party. This justification can only be used if the legitimate interest does not pose a risk to the protection of the Data Subject’s Personal Data (this risk-benefit assessment needs to be documented) and provided to the Data Subject (see below regarding notifying Data Subjects).
- Processing of SPI may only be performed if one of the following applies:
- The Data Subject has given his or her explicit Consent to the Processing of the SPI, except where the applicable laws prohibit Processing of SPI on basis of Consent.
- The Processing is necessary for the purposes of carrying out the obligations and specific rights of the Controller in the field of employment law in so far it is authorized by law providing for adequate safeguards.
- The Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his or her Consent.
- The Processing relates to SPI which is manifestly made public by the Data Subject.
- The Processing of SPI is necessary for the establishment, exercise or defense of legal claims.
- The Processing of SPI is necessary for fulfilling requirements in specific legislation (e.g., in relation to patient treatment or reporting of adverse events to public authorities).
- When acting as Controller, Bioclinica will notify Data Subjects about how their Personal Data will be used prior to collection of the Personal Data, i.e., when contact between Bioclinica and the Data Subject is within the scope of Bioclinica’s products or services. When applicable, the Data Subjects may be notified in writing or orally, and such notification should include:
- the intended purposes and legal justification for Processing the Personal Data.
- the retention period for the Personal Data.
- name and contact details of the Controller.
- contact details of Bioclinica’s Data Protection Officer
- categories of Personal Data obtained, or disclosed
- details of transfers of the Personal Data to any third countries or international organizations.
- recipients or categories of recipients of the Personal Data.
- rights available to Data Subjects in respect of the Processing:
- the right to withdraw Consent at any time and the specific consequences of withdrawal.
- the right to access the Data Subject’s own Personal Data.
- the right to request disclosure of the categories and specific pieces Per-sonal Data collected about the Data Subject, the categories of sources such Persona Data is collected from, the business or commercial purpose for collecting such Persona Data, the categories of third parties with whom the Personal Data is shared with, and the categories of Personal Data dis-closed about the Data Subject for a business purpose.
- the right of rectification, erasure/deletion or restriction of Personal Data unless this action is in violation of applicable legislation. As an example, Personal Data Processed in connection with a clinical trial may not be erased during the clinical trial as this action is contradicted by the retention timelines and audit trail requirements set forth in the laws, regulations and guidance relating to the performance of clinical trials.
- the right not to be discriminated against due to exercise of the Data Subject’s rights, such as through denying goods or services to the Data Subject, charging or suggesting different prices or rates for goods or services, including through the use of discounts, benefits or penalties, or providing or suggesting a different level or quality of goods or services to the Data Subject.
- the right to lodge a complaint with a supervisory authority.
- the right of data portability. On request from a Data Subject (preferably in writing), Bioclinica will provide the Data Subject with the Personal Data Processed by or on behalf of Bioclinica regarding the Data Subject in a structured, commonly used and machine-readable format.
- The Processing of Personal Data will only occur in relation to the specific business purpose(s) of which the Data Subject has been informed.
- Data Subjects must be notified if their Personal Data will be disclosed to a Third Party or will be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subjects. Data Subjects must be provided with clear, conspicuous, and readily available mechanisms to exercise choice based upon the legal grounds of the Processing of their Personal Data.
Within the 12-month period preceding the date of this Policy, Bioclinica has collected the following types of Personal Data: (1) business contact information to enable Bioclinica’s products and services; and (2) patient information.
|Types of personal in-formation||Business contact information to enable Bioclinica’s products and services and patient information|
|Individual details||Name, address (including the state or country within which you are based), other contact details (e.g. email and telephone numbers), gen-der, employer, and job title|
|Special categories of personal information||(1) Health data including clinical test results, sample number and clinical visit number; (2) (possibly) race and ethnicity where so relevant for the data of the clinical research or other form of medical research; (3) (possibly) sex life where so relevant for the data of the clinical research / other form of medical research where so reported.|
Within the 12-month period preceding the date of this Policy, Bioclinica has disclosed the following types of Personal Data about Data Subjects for a business purpose: (1) business contact information to enable Bioclinica’s products and services; and (2) patient information.
|Types of personal in-formation||Business contact information to enable Bioclinica’s products and ser-vices and patient information|
|Individual details||Name, address (including the state or country within which you are based), other contact details (e.g. email and telephone numbers), gen-der, employer, and job title|
|Special categories of personal information||(1) Health data including clinical test results, sample number and clin-ical visit number; (2) (possibly) race and ethnicity where so relevant for the data of the clinical research or other form of medical research; (3) (possibly) sex life where so relevant for the data of the clinical research / other form of medical research where so reported.|
Any question related to the Processing of Personal Data should be addressed to Bioclinica’s Data Protection Officer (DPO) at firstname.lastname@example.org.
Management and Maintenance of Personal Data
The following principles apply to the management and maintenance of Personal Data:
- Bioclinica will Process the minimum amount of Personal Data reasonably necessary to support its business activities.
- Personal Data will be kept accurate and updated.
- Personal Data will not be disclosed to anyone (including external and internal staff) who is not authorized or does not have a valid business need to access to the Personal Data. This means that reasonable safeguards will be put in place to protect the Personal Data against threats such as: (1) Loss or theft, (2) Unauthorized access, use, or disclosure, (3) Improper copying, modification, or tampering, (4) Improper retention or destruction, and (4) Loss of integrity, availability, and access to the Personal Data.
- Personal Data will be kept for as long as its Processing is necessary in relation to the specific purpose and legal requirements.
- Personal Data will be used, to the extent feasible and appropriate, in an Anonymized or Pseudonymized form.
- Personal Data will be securely destroyed at the end of the applicable retention period.
- Appropriate and reasonable steps will be taken to prevent the use of Personal Data in a manner different than the original purpose(s) for which the Personal Data was Processed.
- Employees shall report a suspected Data Privacy Breach to Bioclinica’s Data Protection Officer (DPO) at email@example.com immediately and no longer than 24 hours of becoming aware of such suspected Data Privacy Breach.
- All requests from Data Subjects regarding their rights, including the right to access, rectify, or delete their Personal Data should be submitted to Bioclinica’s Data Protection Officer (DPO) at firstname.lastname@example.org or by calling +1 (877) 632-9432. Each request, along with the associated resolution and disposition, will be documented. All requests will be processed and replied to within 30 days from receipt. If Bioclinica is not able to fully reply within such period, the Data Subject will receive information about when a full reply can be expected (no later than additional two months).
Each Bioclinica legal entity that is processing Personal Data will maintain a record of all categories of Processing activities involving Personal Data. The record of Processing activities will be kept in writing, including electronic form. Bioclinica utilizes an electronic system for managing this record, ensuring that an updated version of this record will be available.
For more details on the requirement for this record, please refer to Article 30 of the GDPR. In case of questions regarding the electronic system that Bioclinica is using, or questions in general regarding the record of Processing activities, please contact Bioclinica’s Data Protection Officer (DPO) at email@example.com.
If Bioclinica is acting as Controller and the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, an assessment of the impact of the envisaged Processing on the protection of the Personal Data (Data Protection Impact Assessment (DPIA)) is required. If the DPIA indicates that the Processing would result in a high risk in the absence of measures taken to mitigate the risk, the relevant Data Privacy Agency shall be consulted prior to the Processing of the Personal Data.
For more details on the requirement for a DPIA, please refer to Article 35 of the GDPR or contact Bioclinica’s Data Protection Officer (DPO) at firstname.lastname@example.org.
Disclosure of Personal Data to a Processor / Controller
Bioclinica may share Personal Data with a Processor / Controller for legitimate business reasons. Personal Data may not be shared with a Third Party unless required to do so by law or based on a Data Subject’s specific consent.
Whenever a Processor is Processing Personal Data on behalf of Bioclinica, allowing the Processor to have to access to such Personal Data, a Data Processing Agreement (DPA) is required between the Processor and Bioclinica. For more details on the requirement for a DPA, please refer to Article 28 of the GDPR or contact Bioclinica’s Data Protection Officer (DPO) at email@example.com.
For Processors / Controllers that are outside the European Economic Area (EEA) and established in countries not ensuring an adequate level of protection according to the European Commission, additional safeguards must be put in place to ensure that the protection of the Data Subjects are not undermined. Adequate safeguards may be provided by entering into an agreement with the Processors / Controllers and/or the sub-processor, ensuring respect of the European rules on cross border data flows, e.g. the EU Standard Contractual Clauses adopted by the EU Commission.
Any question related to the disclosure of Personal Data to Processors / Controllers should be addressed to Bioclinica’s Data Protection Officer (DPO) at firstname.lastname@example.org, or made by calling +1 (877) 632-9432.
Training and Awareness
All Bioclinica’s legal entities and their respective employees (permanent and temporary), secondees, and Staff Augmentation must familiarize themselves with this Policy and any other Bioclinica privacy-related documents. Also, Bioclinica expects that all managers are familiar with the applicable privacy legislation and ensure that direct reports are sufficiently trained regarding data privacy and the principles outlined in this Policy.
Bioclinica’s Data Privacy Office will publish required training to support the implementation of this Policy.
Reporting Potential Misconduct/Non-Retaliation
All Bioclinica’s legal entities and their respective employees (permanent and temporary), secondees, and Staff Augmentation are responsible for the reporting of any potential violation of any applicable data protection laws and regulations or this Policy.
|Potential violations are to follow critical issue escalation procedures or to be reported to Bioclinica’s Data Protection Officer (DPO) at email@example.com.|
Data Subjects reporting a potential violation or assisting in any inquiry or investigation of a potential violation will be protected against retaliation. **
Breach of this Policy
Breach and/or non-compliance with this Policy may lead to disciplinary action, including termination of employment or contract. Bioclinica also reserves the right to disclose any wrongdoing to governmental authorities.
Standard Operating Procedures and Systems
The principles set forth in this Policy are to be implemented in all applicable Bioclinica Standard Operating Procedures (SOP) and systems. This action is done to assure that the principles are implemented into the day-to-day business operations.
Responsibilities and Implementation
All Bioclinica’s legal entities and their respective employees (permanent and temporary), secondees, and Staff Augmentation must adhere to the principles set forth in this Policy.
The owner of this Policy is Bioclinica’s Data Privacy Office.