Firma’s Approach to Privacy
Firma Clinical Research (Firma) processes personal information from many countries, which have a diversity of privacy-related laws and regulations. Firma takes its responsibility to protect the personal information it processes seriously. Firma has policies, standard operating procedures, and training that support Firma’s compliance with applicable laws and regulations in each region.
Types of Personal Information Processed by Firma and the Purposes for Processing
Pseudonymized Data from Subjects in Clinical Trials
Firma collects and further processes personal information from subjects in clinical trials. Virtually all of this personal information is health-related and is thus sensitive personal information, belonging to a special category (in the language of the Global Data Protection Regulation [GDPR]. In such clinical trials, the individuals whose personal information is processed are identified only by a coded identifier. The link between these coded identifiers and actual identifiers such as name and contact information is held only by personnel of the relevant study clinical site. For such clinical trial data, Firma processes the data as stipulated by contract with the sponsoring pharmaceutical or device company, which determines the purpose and means of the processing. Firma carries out such processing to carry out the legitimate business purposes specified in the contract.
Non-pseudonymized Data from Subjects in Clinical Trials
For Firma’s Home Trial Services, Firma also collects non-pseudonymized clinical trial subject contact information in order to conduct subject visits in locations other than clinical trial investigative sites. These data are encrypted in transit and at rest.
Data from Professional Contacts from Firma’s Clinical Trial Work
Integral to its clinical trial work, Firma collects personal information from many sources, including investigative site staff, sponsor (client) staff, home health agency staff, staff from other Firma vendors, staff from other contract research organizations, and consultants. The personal data collected from investigative site staff are their professional contact details: first name, last name, postal address of the site, professional phone, professional email.
Employment-related Personal Information Within Firma
Firma collects and otherwise processes sensitive employment-related personal information from applicants to Firma positions (including background checks) as well as from Firma employees and contractors. Firma uses these data to carry out vital human resource functions.
Personal Information from Business Development Contacts
When Firma personnel carry out their business development and marketing functions, they contact a variety of individuals, from whom they collect names and contact information in the ordinary course of business.
Personal Information from Visitors to the Firma Web Site
Disclosures of Personal Information
- Firma does not sell personal information.
- Firma shares personal information within Firma itself, with service providers to Firma, and with other third parties only as necessary to achieve our contractually-obligated business purposes.
- Companies working as service providers to Firma are required to sign “processor” and/or confidentiality contracts in which they commit to process personal information from Firma according to their contractual obligations, using appropriate technical and organizational security measures.
- Firma discloses personal data to those of our clients who contract with us for our clinical trial services. We also disclose these clinical trial data in regulatory submissions. In such disclosures, the individuals whose personal information is disclosed are identified only by a coded identifier. The link between these coded identifiers and actual identifiers such as name and contact information is held only by personnel of the relevant study clinical site.
- Firma may be required to disclose personal information by actions of law enforcement, for example, in response to a subpoena or court order.
- Firma may disclose personal information in relation to potential or actual business transactions, such as a merger or sale of our business or assets.
International Transfers of Personal Information
Firma collects personal information from many countries. As necessary in our work, we may transfer personal information from one country to another, including to third countries, such as the United States, which are not judged by the European Union as having adequate privacy safeguards for personal information. As legal protections of personal information differ among countries, Firma takes appropriate safeguards to ensure that such data transfers are made safely and legally.
Notice and Consent
For Firma’s clinical trial work, notice and consent for the clinical trial subjects are the responsibility of our Clients, the sponsors of the study, who determine the purposes and means of the processing of personal data by Firma.
When Firma is responsible for providing notice, Firma provides relevant notice as soon as reasonably practicable for the following particulars:
- Under whose authority the personal information is being collected;
- The purpose for collecting the personal information and the legal basis for doing so;
- The recipients of the personal information;
- If applicable, the fact that it is planned that the personal information be transferred to a third country and whether that country is judged by the European Commission to protect personal information adequately, and, if not judged adequate, the safeguards to ensure personal information’s protection;
- The period of data storage or the criteria to determine such;
- The individual’s personal information-related rights, such as the rights to access, correction, and deletion of personal information, and the right to complain to a supervisory authority competent to receive such complaints.
When required by law, Firma discloses personal information without consent.
Firma has comprehensive procedural safeguards in place designed to ensure the high quality of its data, consistent with good clinical practice and other legal and regulatory requirements.
Consistent with regulations, Firma collects personal information that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The retention period for personal information within Firma varies by category, but is consistent with relevant legal, regulatory, and contractual requirements.
Individuals’ Rights Related to Their Personal Data
Firma ensures that individuals can exercise all legal or contractually-obligated rights with respect to their personal information processed by the company, including the following rights:
- the right to be informed of all information necessary to ensure fair and transparent processing;
- the right of access to her/his personal information; [since the personal information processed for subjects in clinical trials has been coded to hide the subjects’ identity, to access study-related data the subjects must contact the study site to obtain the code used in the study for her/his identity
- the right to rectification (correction) of her/his personal information and completion of any incomplete personal information;
- the right to erasure of her/his personal information upon request (“the right to be forgotten”);
- the right to restrict processing under certain circumstances (for example, if the accuracy of the personal information is contested);
- the right to data portability in a structured, commonly used and machine-readable format for transmission to her/him or another organization;
- the right to object to processing her/his personal information, for example for purposes of direct marketing;
- the right to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, unless certain criteria are met, such as the subject having given explicit consent to such automated processing;
- the right to withdraw, at any time, previously given consent [however, when such withdrawal occurs, the personal information previously collected under valid consent will not be expunged].
Firma Information Security
Firma employs technical and organizational security measures designed to protect personal information against a personal data breach, defined broadly as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Such security measures, including encryption of data at rest and in transit, are designed to ensure the confidentiality, integrity, availability and resilience of Firma’s processing systems and services.
Firma has a comprehensive procedure in place for responding to any security breach of personal information, including criteria for when notification of regulatory authorities and/or individuals whose personal information has been breached is required.
Firma Website Considerations
Your relationship to cookies on the Firma web site can generally be adjusted through your browser settings.
If you leave the Firma web site by clicking on a link, please note that Firma does not control any web sites linked to the Firma web site.
Children’s Online Privacy Protection
Firma’s web site is not directed at children less than 13 years old. Also, Firma does not knowingly collect information from such children.
Questions, Complaints and Request to Exercise Rights
Please direct such communications to the Firma Chief Privacy Officer, using either of the following methods:
- Send an e-mail to firstname.lastname@example.org
- Send conventional mail to the following address:
Firma Clinical Research, LLC
Attn: Chief Privacy Officer
211 Schilling Circle, Suite 188
Hunt Valley, MD 21031
If you are in the EEA and have a question or complaint about the handling of your personal data , you also have a right to complain to the supervisory authority of your Member State, which is competent to monitor and enforce the application of the GDPR. Please refer to the list of all EU supervisory authorities, organized by Member State, on the European Data Protection Board website: https://edpb.europa.eu/about-edpb/board/members_en.
Additional Privacy Information for California Residents