Data Privacy Framework Policy

Effective Date: April 20, 2020

Data Privacy Framework provides companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union, United Kingdom, and Switzerland to the United States in support of transatlantic commerce.

Overview:

FHI Clinical complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  FHI Clinical has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  FHI Clinical has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over FHI Clinical’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Scope:

This Policy applies to all Personal Data of Data Subjects received by FHI Clinical in the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), or Switzerland, including Personal Data of consumers, healthcare professionals, patients, medical research subjects, clinical investigators, customers, suppliers, vendors, job applicants, business contacts and partners, investors, and government officials.

Adherence to the Data Privacy Framework Principles may be limited (i) to the extent required or allowed by applicable law, rule, or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Data Subject. Also, this Policy may not apply or may be limited when Personal Data is collected or processed by the following:

  • FHI Clinical, under an agreement that contains the requisite Model Contract Clauses approved by the European Commission with respect to the Personal Data;
  • FHI Clinical, when necessary for the performance of a contract (e.g., an employment contract) between a Data Subject and FHI Clinical; or
  • Any FHI Clinical affiliate, successor, subsidiary, business division or group that makes a separate certification to Data Privacy Framework, whether or not such certification covers only part of or all types of Personal Data in scope of this Policy.

Definition:

  1. Agent – Any third party that uses Personal Data provided to it by FHI Clinical to perform tasks on behalf of and/or under the instructions of FHI Clinical or to which FHI Clinical discloses Personal Data for use on its behalf.

  2. Controller – A person or organization that decides what personal data will be collected and how it will be collected, stored, and used, and then collects and processes data, either directly or through a processor, for its own purposes.

  3. Data Subject – Any natural person located in the European Union / European Economic Area, United Kingdom (and Gibraltar), or Switzerland whose Personal Data is shared with FHI Clinical in the United States. Sometimes referred to as “you” or “your.”

  4. European Economic Area (EEA) – For the purposes of this Policy composed of the following thirty (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

  5. Personal Data – Any information that relates to an identified or identifiable natural (living) person (a “data subject”), such as names, email addresses, identification numbers, online identifiers (e.g., IP addresses), employee or applicant information, location data, biometric data, photographs, and health or financial information. The term “Personal Data” does not include non‐identified information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person) and publicly available information that has not been combined with non‐public personal information.

  6. Data Privacy Framework Principles – The seven (7) privacy principles, as well as the supplemental privacy principles and the associated guidance, details can be found at https://www.dataprivacyframework.gov.

  7. Processing – Collection, storage, use, sharing, or destruction of personal data, whether manually or by electronic or automated means.

  8. Processor – A person or organization that processes personal data on behalf of a controller.

  9. Sensitive Personal Data – Health, genetic, and biometric information; information relating to children; and data that reveals the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation.

Policy:

FHI Clinical notifies Data Subjects covered by this Data Privacy Framework Policy about its data practices regarding Personal Data received by FHI Clinical in the U.S. from European Union / EEA member countries, United Kingdom (and Gibraltar), and Switzerland in reliance on the respective Data Privacy Framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that FHI Clinical offers for limiting its use and disclosure of such Personal Data, how FHI Clinical’s obligations under the Data Privacy Framework are enforced, and how Data Subjects can contact FHI Clinical with any inquiries or complaints. FHI Clinical will provide information about its participation in Data Privacy Framework and reference to the Data Privacy Framework List (https://www.dataprivacyframework.gov/s/participant-search). Notice will be provided in clear and conspicuous language.

Where FHI Clinical receives Personal Data from its subsidiaries, affiliates, or other entities, including when acting as a Contract Research Organization (CRO) processing Personal Data under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the choices made by the Data Subjects to whom such Personal Data relates.

In circumstances in which FHI Clinical obtains Personal Data as a service provider for its clients or affiliates, FHI Clinical’s clients or affiliates are responsible for providing appropriate notice to the Data Subjects whose Personal Data are transferred to the U.S. and obtaining any requisite consent (unless this function has been delegated to FHI Clinical).

Types of Personal Data collected, Purposes of Collection and Uses of Personal Data:

FHI Clinical may also use the Personal Data collected below to comply with its legal and regulatory obligations, policies and procedures, and for internal administrative purposes.

A. Research Studies-Related Information. For Data Subjects participating in research studies being managed by FHI Clinical as a CRO or in other situations where FHI Clinical is participating in research studies, including patients, their spouses/partners, care givers, and relatives, clinical investigators or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third‐party service providers, Personal Data may be used in order to carry out the applicable studies and other study‐related services and/or pharmacovigilance. This may include the transfer of such Personal Data to the applicable study sponsor, its corporate affiliates, business partners and third‐party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).

B. Human Resources-Related Information. For Data Subjects who are FHI Clinical employees, consultants and contractors (Personnel), we will process Personal Data to carry out and support our human resources functions and activities, including but not limited to, (i) evaluation of qualifications for an employment position; (ii) provision of employment benefits; (iii) administration and management of employees, compensation, stock options, grants and purchase plans, bonuses, retirement, training, and career planning; (iv) utilizing employee skills and ongoing employee resource allocation; (v) communicating with employees or their emergency contacts; (vi) administration of the company’s business including budgeting, manpower planning, and organizational design; (vii) authentication of the individual’s identity when gaining access to computer system applications; (viii) Personal Data changes; (ix) employment status changes; (x) travel and expense planning and reimbursement; and (xi) evaluation of employee performance and time management; and (xi) management of Personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. FHI CLINICAL may provide Personal Data to Agents to support FHI CLINICAL in performance of these human resources‐related activities. Further information concerning how FHI CLINICAL collects, uses, shares, and safeguards the Personal Data of Company Personnel is available to FHI CLINICAL Company Personnel in FHI CLINICAL’s internal privacy policy. In addition, for job applicants, Personal Data will be used for the evaluation of suitability of the applicant for a position. FHI CLINICAL may, under its discretion and with the consent of the candidate where required by law or otherwise obtained, perform such background checks as deemed appropriate to evaluate this suitability.

C. Business Contacts. For Data Subjects who are business contacts of FHI CLINICAL, FHI CLINICAL may collect Personal Data concerning contact information for such business contacts. This information may be used for purposes consistent with the provision of information by these contacts, which may include marketing activities focused on sales of new products and services, requests to participate in market research that enhance FHI CLINICAL’s product offerings and other business activities.

D. Health Care Professionals. FHI CLINICAL collects information about health care professionals directly from the health care professionals, from public sources and from business partners. We use this information in connection with various health care activities, including clinical trials, real world studies of patient treatment, health care outcomes analysis, market research activities, and other situations where primary intelligence from health care professionals is applicable.

E. Customers and Program Participant Information. For Data Subjects sharing Personal Data with FHI CLINICAL to inquire about or otherwise make use of our services or purchase, receive, or seek information, including about any health care products and services, opportunities to participate in clinical research, health care education and patient support programs which may be available through FHI CLINICAL, we will use such Personal Data to provide the requested information, products, and/or services. Such uses may include but is not limited to processing requested transactions, improving the quality of our services, sending communications about the products and services available through FHI CLINICAL, and enabling our business partners and Agents to perform certain activities on our behalf.

F. Data Analytics Functions. In certain situations, FHI CLINICAL obtains and processes information about Data Subjects for various data analytics purposes. In most situations, this data has been anonymized or de‐identified and is no longer Personal Data when it is obtained by FHI CLINICAL (or when it is transferred to the United States). In some situations, FHI CLINICAL receives Personal Data from a customer or other data supplier for the purpose of such anonymization or de‐identification. In other situations, the data that is obtained and processed by FHI CLINICAL is pseudonymous. This pseudonymous information may be used for research purposes, primarily in connection with academic partners, with academia, and may be transferred by FHI CLINICAL to the United States as part of these research-related activities. For all these situations, FHI CLINICAL’s activities are consistent with the notice and choice provided by these customers or data suppliers to Data Subjects, and FHI CLINICAL’s use of this information is consistent with FHI CLINICAL’s obligation to provide services to these entities. In those situations, and where such information is transferred to the United States, FHI CLINICAL uses such information only in manners consistent with the Data Privacy Framework Principles and the manner in which this data was obtained.

Choice:

If Personal Data covered by this Data Privacy Framework Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, FHI Clinical will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: dpo@fhiclinical.com.

If Sensitive Personal Data covered by this Data Privacy Framework Policy is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party, FHI Clinical will obtain the Data Subject’s explicit consent prior to such use or disclosure.

In some cases, even if a Data Subject opts‐out of disclosures of their Personal Data, FHI Clinical may still disclose such Personal Data (i) if required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce FHI Clinical policies or contracts; (v) to collect amounts owed to FHI Clinical; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in good faith believe that disclosure is otherwise necessary or advisable. FHI Clinical also may transfer Personal Data when a material event concerning its business operation(s), assets, or shares, such as purchase, disposal, merger, joint venture, or acquisition, is proposed or occurs. In such an event, FHI Clinical will endeavor to direct the transferee to use Personal Data in a manner that is consistent with this Policy. FHI Clinical will provide Data Subjects with reasonable mechanisms to exercise their choices to the extent required by applicable law.

Accountability for Onward Transfer:

In the event FHI Clinical transfers Personal Data covered by this Data Privacy Framework Policy to a third party acting as a controller, it will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Data Privacy Framework Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If FHI Clinical has knowledge that a third party acting as a controller is processing Personal Data covered by this Data Privacy Framework Policy in a way that is contrary to the Data Privacy Framework Principles, FHI Clinical will take reasonable steps to prevent or stop such processing.

With respect to our agents, we will transfer only the Personal Data covered by this Data Privacy Framework Policy needed for an agent to deliver to FHI Clinical the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with FHI Clinical’s obligations under the Data Privacy Framework Principles; and (iv) require the agent to notify FHI Clinical if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles.  Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Security:

FHI Clinical takes reasonable and appropriate measures to protect Personal Data covered by this Data Framework Privacy Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

Data Integrity and Purpose Limitation:

FHI Clinical limits the collection of Personal Data covered by this Data Privacy Framework Policy to information that is relevant for the purposes of processing. FHI Clinical does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.

FHI Clinical takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. FHI Clinical takes reasonable and appropriate measures to comply with the requirement under the Data Privacy Framework to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes FHI Clinical’s obligations to comply with professional standards, FHI Clinical’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Data Privacy Framework Principles for as long as it retains such Personal Data.

Access:

Data Subjects whose Personal Data is covered by this Data Privacy Framework Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated).  Requests for access, correction, amendment, or deletion should be sent to: dpo@fhiclinical.com.

FHI Clinical, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such Data Subjects who seek access, or who seek to correct, amend, or delete their inaccurate Personal Data should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Data to FHI Clinical for processing.

In circumstances in which FHI Clinical maintains Personal Data as a service provider for its clients or affiliates, FHI Clinical’s clients or affiliates are responsible for providing Data Subjects with access to their Personal Data and the right to correct, amend or delete the data where it is inaccurate. In these circumstances, Data Subjects should direct their questions to the appropriate FHI Clinical client or affiliate. If they do not receive a response, FHI Clinical will provide reasonable assistance in forwarding the Data Subject’s request.

Recourse, Enforcement and Liability:

FHI Clinical’s participation in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF is subject to investigation and enforcement by the Federal Trade Commission.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, FHI Clinical commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact FHI Clinical at: dpo@fhiclinical.com.

In addition, In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, FHI Clinical commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to Data Subjects. If any request remains unresolved, Data Subjects may, under certain circumstances, have a right to invoke binding arbitration under Data Privacy Framework; for additional information, see https://www.dataprivacyframework.gov.

In addition, FHI Clinical has agreed to cooperate with JAMS with respect to complaints of Data Subjects who are not Personnel of the Company and with the local data protection authorities with respect to Personnel and human resources related information. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/file-a-dpf-claim. Such independent dispute resolution mechanisms are available to Data Subjects free of charge. If any request remains unresolved, Data Subjects may have a right to invoke binding arbitration under Data Privacy Framework.

In circumstances in which FHI Clinical obtained or maintains Personal Data as a CRO or other Service Provider, Data Subjects may submit complaints concerning the processing of their Personal Data to the relevant client, in accordance with the client’s dispute resolution process. FHI Clinical will participate in this process at the request of the client or the Data Subject.

FHI Clinical agrees to periodically review and verify its compliance with the Data Privacy Framework Principles, and to remedy any issues arising out of failure to comply with the Data Privacy Framework Principles. FHI Clinical acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Data Privacy Framework participants.

This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Data is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.