Privacy Shield Frameworks
Client” or “Sponsor” means an entity that contracts with Firma Clinical Research to provide contract research organization services for clinical research studies sponsored by such entities and that involve the transfer, processing, or reporting of Personal Information for or on behalf of and under the instructions of such entity.
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’)” and that is transferred from the EU/EEA or Switzerland. An “identifiable person” is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.”
“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns the health or sex life of an individual, and for purposes of compliance with the Swiss – U.S. Privacy Shield Framework, includes ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
“Subcontractor” means any individual, corporation, or other entity under written contract with Firma Clinical Research to assist Firma Clinical Research in fulfilling its responsibilities under its contracts with Sponsors. “Subcontractor” includes home health providers that contract with Firma Clinical Research to provide remote health research study visits.
About Firma Clinical Research
Firma Clinical Research is a contract research organization (“CRO”) that performs biostatistics, data management, medical writing, clinical operations, including home health research study visits, and clinical pharmacology in support of specific medical or pharmaceutical research studies (“Clinical Studies”). Firma Clinical Research performs such clinical research support services on behalf of its Clients, who sponsor the Clinical Studies. Firma Clinical Research’s contracts with its Clients specify the terms and conditions under which Firma Clinical Research may process and transfer Personal Information, including Sensitive Information, as part of its CRO services (“Clinical Study Contracts”). Firma Clinical Research processes and transfers Personal Information as authorized and permitted by, and to perform its obligations under, the Clinical Study Contracts, or as required by law.
Personal Data Collected by Firma Clinical Research
To perform its CRO services, Firma Clinical Research receives and processes Personal Information, including Sensitive Information, on individuals who are participating as subjects in the Clinical Studies in EU/EEA countries, as well as in Switzerland. When possible, Firma Clinical Research also receives and processes pseudonymized data on subjects who participate in Clinical Studies in EU/EEA countries as well as in Switzerland. These data are pseudonymized since individual study subjects are identified to Firma Clinical Research only by arbitrary subject identifiers, while the link between such subject identifiers and the actual identity of such subjects is known to only the clinical trial sites. In addition, Firma Clinical Research obtains Personal Information about home health service agencies with whom it contracts to credential specific home health service providers to provide the remote site visit services. In performing its business as a CRO, Firma Clinical Research also collects personal information on its contacts within the clinical trial Sponsors with which it does business as well as within its Subcontractors. We may also collect information such as device IP addresses and analytical tracking information from visitors to our web site. We also collect personal information from visitors to our web site, who give such information so that Firma Clinical Research can contact them with additional information on our services. The purpose for which Firma Clinical Research collects, processes and transfers Personal Information, including pseudonymized data and the Personal Information about clinical trial subjects, home health agencies and service providers and other Subcontractor and Sponsor contacts, is to support Clinical Studies in which the individual study subjects participate, including to record and summarize the data collected in these Clinical Studies, as directed by the Sponsors. We also collect personal information of visitors to our offices in the context of access control. These individuals are generally visiting our offices so that they can discuss using our services.
Data Subjects’ Rights Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)
Under the GDPR, data subjects have rights about how their personal data are processed. These rights are summarized as follows:
- the right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
- the right to access: This right, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information.
- the right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- the right to erasure: The GDPR introduces a right for individuals to have personal data erased.
- the right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data.
- the right to data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- the right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- the right not to be subject to automated processing: The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement).
A fuller explanation of these rights (in English) is available on the website of the United Kingdom’s Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/. The brief summaries above were taken primarily from this web site. As is clear from the fuller explanations, these rights are contextual and often not absolute. For example, some rights in some cases may be overridden by contractual obligations.
If in the future Firma Clinical Research acts as a data controller for EU/EEA/Swiss data, it will comply with the Privacy Shield and GDPR privacy principles for Notice and will amend this policy accordingly.
Choice: The Clinical Study Sponsors, as the data controllers, direct Firma Clinical Research in providing study subjects with their right to choice. The Sponsors are responsible and will direct Firma Clinical Research to provide study subjects the choice whether their Personal Information is to be disclosed to a third party and the choice whether their Personal Information is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Similarly, for Sensitive Personal Information, the Sponsors are responsible for and will direct Firma Clinical Research to give individuals the opportunity to affirmatively or explicitly choose to allow the disclosure of their Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or to be disclosed to a third party. Firma Clinical Research provides the home health agencies and service providers with their right to choice and will provide them with the choice to whether their Personal Information is to be disclosed to a third party and the choice to whether their Personal Information is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual, and for Sensitive Information will obtain their explicit consent for such use or disclosure. Requests to opt out of such uses or disclosures may be sent to the Chief Privacy Officer at firstname.lastname@example.org, or at the following address:
Firma Clinical Research, LLC
Attn: Chief Privacy Officer
224 Schilling Circle, Suite 1888
Hunt Valley, MD 21031
Personal data from business associates of Firma Clinical Research, such as those within investigative sites, Sponsors, and Subcontractors, will not be shared with third parties, unless mandated for regulatory or legal purposes.
If in the future Firma Clinical Research acts as a data controller for EU/EEA/Swiss data, it will comply with the Privacy Shield and GDPR privacy principles for Choice and will amend the policy accordingly.
Data Security: Firma Clinical Research has implemented physical, electronic, and administrative measures, including procedural and managerial security measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Employees who may access such Personal Information receive training on this Privacy Shield/GDPR policy and are held responsible for compliance to it, with disciplinary action for non-compliance.
Access: Firma Clinical Research acknowledges the individuals’ right to access their personal information. For Firma Clinical Research to provide such access to an individual who is a study subject, the relevant data controller (Firma Clinical Research’s Client) would need to confirm that the individual is who he/she claims to be and, per contract, give permission for Firma Clinical Research to allow the data subject to access (etc.) his/her data. [Please see below.] Participants in “blinded” clinical trials do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort.
Firma Clinical Research, LLC
Attn: Chief Privacy Officer
224 Schilling Circle, Suite 1888
Hunt Valley, MD 21031
Data subjects may also object to the processing of their data by application to the Chief Privacy Officer. In such circumstances, Firma Clinical Research will evaluate such objection in light of Firma Clinical Research’s other obligations. After our evaluation of this objection, we will respond to the data subject and take any appropriate action.
Regarding data portability, for personal data that data subjects have provided to a controller in a structured, commonly used and machine-readable format, and to which Firma Clinical Research has access, Firma Clinical Research will pass any request from a data subject for such data to the relevant controller for implementation.
Recourse, Enforcement and Liability There are three necessary components to compliance with this Privacy Shield privacy principle
- Independent recourse mechanism:
Firma Clinical Research, LLC
Attn: Chief Privacy Officer
224 Schilling Circle, Suite 1888
Hunt Valley, MD 21031
Firma Clinical Research has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Finally, as a last resort and under limited circumstances, individuals whose complaints have not been satisfied may seek recourse before the Privacy Shield Panel, a binding arbitration mechanism.
- Verification: Firma Clinical Research uses a self-assessment approach. Firma Clinical Research verifies that:
- It has in place procedures for training employees in its implementation, and disciplining them for failure to follow it.
- It has in place internal procedures for periodically conducting objective reviews of compliance with the above.
- A statement verifying the self- assessment will be signed by the Firma Clinical Research Chief Privacy Officer, an authorized representative of the organization, at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.
- Remedy: Firma Clinical Research’s commitment to the independent recourse mechanism of the BBB EU Privacy Shield Program includes its commitment to remedies that arise from dispute resolution carried out by that entity.
- Firma Clinical Research is potentially liable in cases of onward transfer of Privacy Shield Personal Data to third parties.
- Firma Clinical Research is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Limitations: Adherence by Firma Clinical Research to the Principles (and this Privacy Shield Policy) will be limited as explicitly permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; or (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Firma Clinical Research’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests. Where the option is allowable under the Principles and/or U.S. law, Firma Clinical Research will opt for the higher protection where reasonably possible.
Appendix 1: Privacy Shield Privacy Principles
- An organization must inform individuals about:
- its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
- the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
- its commitment to subject to the Principles all personal data received from the EU and Switzerland in reliance on the Privacy Shield,
- the purposes for which it collects and uses personal information about them,
- how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU or Switzerland that can respond to such inquiries or complaints,
- the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
- the right of individuals to access their personal data,
- the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
- the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
- being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
- the possibility, under certain conditions, for the individual to invoke binding arbitration,
- the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
- its liability in cases of onward transfers to third parties.
This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
- An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
- By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent.
- For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
3. ACCOUNTABILITY FOR ONWARD TRANSFER
- To transfer personal information to a third party acting as a data controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party data controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.
- To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (v) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
- Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
5. DATA INTEGRITY AND PURPOSE LIMITATION
- Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information.
- Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
7. RECOURSE, ENFORCEMENT AND LIABILITY
- Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include:
- readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;
- follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and
- obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.
- Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints.
- Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.
- In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
- When an organization becomes subject to an FTC or court order based on noncompliance, the organization shall make public any relevant Privacy Shield related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.