Veristat (collectively referred to as “us” or “we” or “Veristat”) is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and other applicable laws governing the processing of personal data (the “Data Protection Laws”).

This Privacy Policy (Policy) explains how Veristat may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective and past), Investigator and other site staff, clinical trial participants and sponsors of clinical trials where Veristat provides contracted clinical trial services to clients, visitors to the website, or any other individual that Veristat has a relationship with or may need to contact.

Data is transferred outside the UK on the basis of declaration of adequacy.

Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Veristat in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Veristat Data Protection standards and to comply with international regulations governing Data Privacy. When Veristat process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Veristat). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union (EU),the United Kingdom (UK), or Switzerland. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Veristat.

Veristat and its U.S. operating subsidiary, Instat Clinical Research (collectively referred to as “Veristat”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Veristat has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Veristat has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. 

Data Sources

Veristat collects and stores data from the following sources :

• Employees, consultants and other contractors
• Investigator sites
• Vendors
• Sponsors
• Website visitors
  
  

Legal Basis for Processing

When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e. legal basis):

The Data Privacy Controller has obtained the previous consent of the Data Subject, and such consent is:

• Informed: a complete privacy notice was provided;
• Issued following a specific request that must be separate from the rest of the text and provided using clear and plain language;
• Freely given: the performance of a contract, including the provision of a service, etc., must not be dependent on the consent;
• Expressed and documented: it is however necessary to keep track of the date of issue of consent as evidence.

Processing is otherwise necessary for:

• Compliance with a legal obligation or regulation (from UK laws, European laws and regulation and applicable national laws in Europe);
• The performance of an agreement or a request made directly by the Data Subject (for example, assistance requested via e-mail or pre-contractual requests);
• The protection of the vital interests of the Data Subject or of another natural person; the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Privacy Controller;
• The fulfilment of a legitimate interest of the Data Privacy Controller or a Third-Party, except where such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child.

Information to the Data Subjects

When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK, or Swiss employees), before any Processing (e.g. collection, analysis, Processing, updating, modification or erasure) or, if the Personal Data are not provided by the Data Subject, within a reasonable period after obtaining the Personal Data, at the time of the first communication to that Data Subject or when the Personal Data are first disclosed, as the case may be, Veristat provides to the Data Subject the following information in the form of a privacy notice:

• The identity and the contact details of the Data Privacy Controller;
• The contact details of the DPO;
• The purpose(s) of the Processing for which the Personal Data is intended;
• The legal basis for the Processing; where the Processing is necessary for the purposes of the legitimate interests pursued by the Data Privacy Controller or by a Third-Party, details of the legitimate interests;
• The recipients or categories of recipients of the Personal Data; from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources;
• If applicable, the fact that Veristat intends to transfer the Personal Data to a third country and the existence of an adequacy decision or, in the absence of an adequate decision, reference to the appropriate or suitable safeguards that Veristat has put in place;
• The period during which the Personal Data will be stored, or if that is not possible, the criteria used to determine the retention period;
• The existence of the right to request access to and rectification or erasure of, Personal Data, restriction of Processing or to object to Processing as well as the right to data portability;
• Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of the Processing based on consent before its withdrawal; 
• The right to lodge a complaint with the Supervisory Authority;
• Whether providing Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
• The existence of any automated decision-making, including profiling, and explanatory information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
• Where Veristat intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected.

Veristat has also implemented a Website Privacy Policy and can provide its users with a copy of physical and digital formats upon request. The Website Privacy Policy is the customer facing policy that provides the legal information on how Veristat handles, processes and discloses Personal Data of website visitors.

Rules on Consent

When processing Personal Data of Data Subjects that are resident or based in the EU,  the UK or Switzerland (for example, patients of clinical sites based in the EU,  the UK and Veristat European, UK, or Swiss employees), where Processing is based on “consent”, Veristat ensures that:

• Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms;
• Consent is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes;
• Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the Processing of Personal Data;
• Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand;
• Pre-ticked, opt-in boxes are not used;
• Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts), Veristat ensures that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service);
• Along with Veristat, details are provided of any other Third-Party who will use or rely on the consent;
• Consent is always verifiable, and Veristat has controls in place to ensure that it can demonstrate consent in every case.

Consent Controls

When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat maintains updated records of Consent to demonstrate that, where applicable, the Data Subject has consented to Processing of their Personal Data.

When processing Personal Data of Data Subjects that are resident or based in the EU,  the UK, or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat also implemented the following consent control mechanisms:

• Opt-out links in mailings or electronic communications;
• Opt-out process explanation and steps on the company website and in all written communications;
• Ability to opt-out verbally, in writing or by email;
• Consent withdrawal requests are processed immediately and without detriment;
• Where services are offered to children, age-verification and parental-consent measures have been developed and are in place to obtain consent;
• Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents;
• For Special Category of Personal Data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the Processing purpose(s) always being specified.

Third-Party Data Processors and Third-Party Data Privacy Controllers

• Veristat may instruct Third Parties to perform certain Processing activities on its behalf.
• When a Third-Party has to be selected for such purpose, Veristat: Performs a preliminary privacy audit to assess if such Third Party has implemented adequate organizational and security measures; and records all Personal Data that have to be transferred outside the organization.
• The Third Party is then authorized to receive and process that Personal Data by virtue of a data processing agreement whereby the Third Party is entrusted with the duties and responsibility of a Data Processor.
• Before transferring Personal Data to a Third Party, Authorized Personnel must verify, with the assistance of the Data Manager of their department, that the selected Third Party is authorized to process the Personal Data to be transferred.
• Veristat also recognises that the continued protection of the security of Personal Data and Data Subjects’ rights is a top priority when choosing or maintaining a contractual arrangement with a Third Party. Therefore, audits of Data Processors may be also performed regularly during the contractual relationship with them, with or without cause.
• If the Third Party acts in the capacity of independent Data Privacy Controller (or also of joint Data Privacy Controller), specific clauses governing the data protection responsibilities of each party are included in the written contractual arrangement with such Third Party.
• If the Third Party (in the capacity of Data Privacy Controller and Data Processor) is intended to receive from Veristat Special Categories of Personal Data, particular care will be taken in the selection of the Third Party and in the assessment of the organizational and security measures implemented by such Third Party.
• Veristat’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles.  In particular, Veristat remains responsible and liable under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles if third party agents that it engages to process the personal information on its behalf does so in a manner inconsistent with EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, unless Veristat proves that it is not responsible for the event giving rise to the damage.

Security Measures

Veristat takes appropriate technical and organizational measures, consistent with applicable laws and current industry standards, to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction or damage to Personal Data, in light of the risks involved in the Processing and the nature of the Personal Data. 

The handling of health/medical information obtained in clinical research is governed by national and international data protection regulations, laws and rules regarding the development of medicinal products and medical confidentiality. Any medical information collected is maintained under these regulations. 

Veristat has put in place security measures to protect manual and electronic processing of Personal Data and prevent its misuse, subject to local legal requirements. 

Veristat also ensures adequate security is observed by third parties and affiliates processing Personal Data on behalf of Veristat, subject to local legal requirements. 

Data Retention

Veristat has defined retention periods according to the applicable data protection laws, Good Clinical Practice (GCP) and Pharmaceutical laws and regulations.  Veristat will retain personal data for as long as it is necessary to fulfil the purposes we collected it for, as well as to provide our products and services, resolve disputes, establish legal defences, pursue legitimate business purposes, conduct audits, enforce our agreements and comply with applicable laws and regulations.

18. International Transfers of Personal Data

If you wish to know what safeguards we use to transfer your Personal Data, please contact us using the contact information set out below.

Disclosure to Third Parties

Veristat Group of Companies 

We may share your Personal Data with Veristat affiliates, which adhere to our privacy and data-security requirements. In addition, during negotiations of corporate transactions, including any merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including as part of any bankruptcy or similar proceedings), we may transfer your Personal Data to third parties involved in these transactions. Under these circumstances, such third parties will enter into a confidentiality agreement with us and are obligated to protect any information and Personal Data provided as part of the transaction. 

Third Parties Service Providers 

We share certain information with selected service providers, vendors, hosting companies, consultants, and other providers that carry out functions or services on our behalf and that enable our business operations, including the protection and securing of our systems and services. Such service providers must abide by our privacy and data-security requirements and are not allowed to use Personal Data they receive from us for any other purpose.  

Client Sponsor of Clinical Research Studies 

If you apply to participate in a clinical research study as an investigator or a clinical site, we may share your Personal Data with our client sponsors, whose clinical research studies are within your stated area of interest, as part of the contracted services that we provide to them. 

Disclosure to Protect Veristat and to Comply with Legal Requirements 

Occasionally we may be required by law enforcement or judicial authorities to provide Personal Data to governmental authorities. We may disclose Personal Data upon receipt of a court order, subpoena, or to cooperate with a law enforcement investigation. We fully cooperate with law enforcement agencies in identifying those who use our services for illegal activities. We reserve the right to report to law enforcement agencies any activities that we in good faith believe to be unlawful. 

Veristat may be obliged to disclose certain Personal Data to third parties such as Government Authorities.  It may also be necessary to disclose Personal Data so as to protect the legal interests and exercise other rights of Veristat, subject to local legal requirements. 

A complete list of third parties to whom the Personal Data are shared can be obtained by contacting Veristat’s DPO at data_privacy@veristat.com.

Data Subjects Rights and Subject Access Request (SARs)

GDPR grants various rights to the Data Subjects whose Personal Data are processed:

• The right to access your personal information
• The right to correct or amend any personal information we have on file about
• The right to delete your personal information in certain circumstances
• The right to restriction of processing in certain circumstances
• Your right to object to processing
• Your right to data portability
• Your right to withdraw consent
• The right to restrict the use of your personal information for certain automated decision-making (including profiling)

Recourse, Enforcement and Liability

• Any complaints or concerns regarding the use, disclosure or transfer of Personal Data by Veristat should in the first instance be directed to the Veristat DPO at data_privacy@veristat.com
• Complaints that cannot be resolved internally by Veristat will be referred to the applicable independent dispute resolution body/Supervisory Authority designated to address complaints and provide appropriate recourse, which will be provided free of charge to the individual ((1) the panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or (2) the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider based in the European Union and, as applicable, the United Kingdom, and/or Switzerland for HR, or (3) the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States.
• In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
• In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to refer unresolved complaints concerning our handling of non-HR personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution-American Arbitration Associate (ICDR-AAA), an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint.  The services of ICDR-AAA are provided at no cost to you.
• The Federal Trade Commission has jurisdiction over Veristat’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

How to Contact Us

If you wish to contact Veristat to ask questions, discuss privacy matters, exercise your rights (to the extent applicable) or report your concerns, please contact us at:  data_privacy@veristat.com or by writing to:

Veristat LLC 
134 Turnpike Road, Suite 200 
Southborough, MA 01772

Veristat International Limited 
27 Old Gloucester Street 
London, United Kingdom, WC1N 3AX

Please provide sufficient detail for Veristat to properly assess and respond to your request.  Veristat may be unable to respond to incomplete or vague requests. Veristat will require you to provide a proof of identity and a proof of address before proceeding with your request. If more information is required, such as the provision of one or more forms of valid government identification, we will contact you and request additional verification.

You may authorize a third-party representative to make a request on your behalf. Any third-party representative making a request on your behalf must indicate that they are  acting as your representative and provide the name, email address and description of the relationship with you, and a certification that they have  permission to submit a request on your behalf.  Veristat may require proof of the delegation of authority to the third-party representative, including your written permission to the third-party representative, and/or a valid power of attorney. Veristat reserves the right not to respond to requests that failed to show a valid proof of identity, address and/or delegation of authority.

individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.  To learn more, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Enquiries and Complaints

Veristat commits to resolve enquiries and complaints about its Processing of Personal Data in compliance with this Policy and applicable Data Protection Laws.

As detailed above, you may contact us by either sending an email to the Data Privacy Officer (“DPO”) at data_privacy@veristat.com or by writing to:

Veristat LLC 
134 Turnpike Road, Suite 200 
Southborough, MA 01772 

Veristat International Limited 
27 Old Gloucester Street 
London, United Kingdom, WC1N 3AX

Notification of changes

Effective: April 2025

Confidential and Proprietary