Data Privacy Policy

Purpose

The purpose of this policy is to ensure that Veristat, LLC (“Veristat”) meets its legal, statutory and regulatory obligations under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and in the Data Subjects’ best interest. 

Veristat is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the UK Data Protection Act 2018 and other applicable laws governing the processing of personal data (the “Data Protection Laws”).
Veristat may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective
and past), Investigator and other sites staff, clinical trial participants and sponsors of clinical trials where Veristat provides contracted clinical trial services to clients, visitors to the website, or any other individual that Veristat has a relationship with or may need to contact.

Data is transferred outside the UK on the basis of declaration of adequacy.

Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Veristat in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Veristat Data Protection standards and to comply with international regulations governing Data Privacy. When Veristat process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Veristat). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only
when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union or the UK. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Veristat.

Scope

This document is relevant to all employees of Veristat, and those contracted to perform tasks on behalf of Veristat. It is the responsibility of each employee or contractor to ensure that, at all times, data are collected, handled, stored and disposed of in
compliance with all of the requirements of this policy and the applicable Data Protection Laws.

Procedure

1. The Principles of Data Privacy

1.1. The General Data Protection Regulation (EU) (2016/679) (“GDPR”) is underpinned by 6 primary principles (Article 5 of the GDPR), as follows:

• Processes lawfully, fairly and in a transparent manner.
• Collected for specific, explicit and legitimate purposes and not further processed in an impatible manner.
• Adequate, relevant, and limited to what is necessary.
• Kept accurate and up to date.
• Not kept, any longer than is necessary, in a form which permits identification of a subject.
• Appropriate organization and security measures ensuring protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. 
• Ensure appropriate measures, records and controls are in place to be able to demonstrate compliance.  

1.2. Depending on the type of Processing (e.g. contractual or legal obligations, marketing), the type of Personal Data (e.g. data relating to health), and the type of Data Subjects to which the Personal Data related (e.g. children/minors), further principles and obligations may be imposed. 

2. Definitions

Authorized Personnel is all employees and consultants of Veristat (acting either as Data Privacy Controller or
Data Processor), who are authorised to process or use the Personal Data on the basis of
the tasks assigned to them in the performance of their duties.

Data Privacy Controller is the natural or legal person that determines the purposes, conditions, and means of the Processing of Personal Data — i.e., a company or organization which requires Personal Data. For the purposes of this Policy and with reference to the Processing described therein, the Data Privacy Controller is Veristat.

Data Privacy Coordinators are internal focal points, identified for organisational purposes, for the practical and
operational management of the Processing activities (e.g. T&C manager, Legal manager, etc.), therefore a Data Manager is identified inside each Veristat departments.

Data Privacy Officer (DPO) is an individual either internal or external to the organization tasked with the
following responsibilities: Informing and advising the organization/business and its employees/consultants about their obligations to comply with the data protection laws; Working towards the compliance with this policy and other Data Protection Laws. This may include monitoring specific processes, managing or supervising internal Personal Data protection activities, advising on data protection impact assessments, as well as increasing employees/consultants awareness for data protection and training them on compliance with this policy; Being the first point of contact for supervisory authorities/dispute resolution bodies and individuals whose data is processed.

Veristat will ensure that an appropriately trained and qualified individual, or individuals, are assigned as Data Privacy Officer. This will be included in the Job Description of the respective employee(s) or consultant(s).

Data Privacy Breach is defined as breach of security in a company, either Data Privacy Controller or Data Processor, which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller, such as cloud service providers or data analytics firms. Veristat may act as Data Processor on behalf of Clinical Trial Sponsors. Standard language related to obligations for Data Privacy and Data Processing will be included in Master Services Agreements (MSAs) or specific Data Processing Agreements (DPAs) with Clinical Trial Sponsors.

Data Protections Laws, for the purposes of this document, the collective description of the GDPR, the UK GDPR
the UK Data Protection Act 2018, and any other relevant data protection laws that Veristat complies with.

Data Subject is an individual who is the subject of Personal Data.

Personal Data means any information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

An individual natural person can be identifiable, either directly or indirectly. An individual is identifiable if it is possible, also in combination with other Personal Data or through third parties, to distinguish that individual from other members of a group. In some cases, there is no question that an individual can be ‘directly’ identified. A government issued ID, for example, is explicitly and uniquely personal and would always be considered Personal Data. In other cases, a combination of data is required for the data to be deemed Personal Data. Importantly, the data does not need to be already combined, there just needs to be a possibility for it to become combined at some point in the future.

Examples of Personal Data are names, surnames, dates of birth, social security, location or other identifiable personal security information or addresses or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data also includes online identifiers such as IP addresses and mobile device IDs.

Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning physical or mental health and data concerning a natural person's sex life or sexual orientation (e.g. a medical certificate, clinical chart or case history, an email in which an employee states that he or she is on sick leave, allergies, documentation about injuries, etc.).

Supervisory Authority is an independent entity or independent dispute resolution body that has the duty of hearing, investigating, and ultimately verifying complaints made by Data Subjects on privacy matters. In certain regions, they are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the applicable Data Protection Laws.

Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, under the direct authority of Veristat, or as an independent Data Privacy Controller or joint Data Privacy Controller.

3. Specific Requirements in the Commonwealth of Massachusetts

3.1. This Data Privacy Policy will also ensure that timely notice is provided whenever confidential information (including, but not limited to, “personal information” protected under applicable data security laws such as M.G.L. c. 93H and 201 CMR 17.00 et seq.) has been compromised as a result of a breach of Veristat’s internal and external data security measures. Specifically, this includes the following:

• Data security breaches involving confidential information owned or licensed by Third Party.  For data security breaches involving confidential information that is owned or licensed by a third party, Veristat DPO shall provide prompt written notice to the affected owners and licensors when Veristat knows or has reason to know of a breach of the company’s data security measures or upon learning that confidential information of a resident of the Commonwealth of Massachusetts has been acquired or used by an unauthorized person or used for an unauthorized purpose. Said written notice to the affected owner/licensor shall include the following information: The date or approximate date of the data security breach incident and the nature thereof; and the steps that Veristat has taken or plans to take, if any, relating to the data security breach incident.

• In providing notice to affected owners and licensors of the information, Veristat is not required to disclose confidential business information or trade secrets or to provide notice to any affected resident of the Commonwealth of Massachusetts
  who may be affected by the data security breach or unauthorized acquisition or use of his or her confidential information.
• Data security breaches involving Confidential Information owned or licensed by Veristat.

3.2.1. For data security breaches involving confidential information that is owned or licensed by Veristat, Veristat shall provide prompt written notice to the Massachusetts Attorney General, the Director of Consumer Affairs and Business Regulation, and to any affected resident of the Commonwealth of Massachusetts, when Veristat knows or has reason to know of a data security
breach or that the confidential information of a resident of the Commonwealth of Massachusetts was acquired or used by an unauthorized person or for an unauthorized purpose. Said written notice to the Attorney General and Director of Consumer Affairs and Business Regulation shall include the following information:

• The date or approximate date of the data security breach incident and the nature thereof;
• The approximate number of residents of the Commonwealth of Massachusetts affected by the data security breach incident; and
• The steps that Veristat has taken or plans to take, if any, relating to the data security breach incident.

3.2.2. The notice to be provided to the resident of the Commonwealth of Massachusetts shall include the following information:
The individual’s right to obtain a police report; How to request a security freeze on his or her credit report; and any fees required to be paid to any consumer reporting agencies.

3.2.3. The notice to affected residents shall not include the nature of the data security breach or the number of affected residents of the Commonwealth of Massachusetts.

3.3. Notification during Criminal Investigation

• If a law enforcement agency responding to a data security breach incident determines that the provision of the above notices would impede an ongoing criminal investigation, Veristat shall delay notification until informed by law enforcement that notification no longer poses a risk of impeding the investigation.
• Veristat shall cooperate with law enforcement in its investigation of any data security breach incident and shall share all information relevant to the incident, with the exception of confidential business information and trade secrets.

4. Data Sources

Veristat collects and stores data from the following sources :

• Employees, consultants and other contractors
• Investigator sites
•  Vendors
• Sponsors
• Website visitors
  
  

5. Accountability and Compliance

5.1. Veristat has a mission towards compliance with laws and regulations, including applicable Data Protection Laws. Given the nature, scope, context and purposes of the Processing performed, in particular in the context of clinical trials, regulatory services
and study monitoring, Veristat has implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of Personal Data and can evidence such measures through documentation and practices.

5.2. The main governance objectives pursued by Veristat in relation to data privacy are the following:

• Educate Senior Management and Authorized Personnel about mandatory data privacy requirements under the applicable Data Protection Laws;
• Identify key stakeholders to support the data protection compliance program; 5.2.3. Make sure that Authorized Personnel and Data Privacy Coordinators have sufficient access, support and resources to perform their duties; 5.2.4. Identify, create, and communicate privacy related matters according to the Privacy Organizational Model; and 5.2.5. Identify and monitor the technical and organizational measures that Veristat has implemented to ensure and demonstrate compliance with the applicable Data Protection Laws.

6. Legal Basis for Processing

6.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e. legal basis):

6.1.1.  The Data Privacy Controller has obtained the previous consent of the Data Subject and such consent is:

• Informed: a complete privacy notice was provided;
• Issued following a specific request that must be separate from the rest of the text and provided using clear and plain language;
• Freely given: the performance of a contract, including the provision of a service, etc., must not be dependent on the consent;
• Expressed and documented: it is however necessary to keep track of the date of issue of consent as evidence.

6.1.2. Processing is otherwise necessary for:

• Compliance with a legal obligation or regulation (from UK laws, European laws and regulation and applicable national laws in Europe);
• The performance of an agreement or a request made directly by the Data Subject (for example, assistance requested via e-mail or pre-contractual requests);
• The protection of the vital interests of the Data Subject or of another natural person; 6.1.2.4. the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Privacy Controller;
• The fulfilment of a legitimate interest of the Data Privacy Controller or a Third Party, except where such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child.
  
  

7. Information to the Data Subjects

7.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), before any Processing (e.g. collection, analysis,
Processing, updating, modification or erasure) or, if the Personal Data are not provided by the Data Subject, within a reasonable period after obtaining the Personal Data, at the time of the first communication to that Data Subject or when the Personal Data are first disclosed, as the case may be, Veristat provides to the Data Subject the following information in the form of a privacy notice:

• The identity and the contact details of the Data Privacy Controller;
• The contact details of the DPO;
• The purpose(s) of the Processing for which the Personal Data is intended;
• The legal basis for the Processing; where the Processing is necessary for the purposes of the legitimate interests pursued by the Data Privacy Controller or by a Third Party, details of the legitimate interests;
• The recipients or categories of recipients of the Personal Data; from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources;
• If applicable, the fact that Veristat intends to transfer the Personal Data to a third country and the existence of an adequacy decision or, in the absence of an adequate decision, reference to the appropriate or suitable safeguards that
  Veristat has put in place;
• The period during which the Personal Data will be stored, or if that is not possible, the criteria used to determine the retention period;
• The existence of the right to request access to and rectification or erasure of, Personal Data, restriction of Processing or to object to Processing as well as the right to data portability;
• Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of the Processing based on consent before its withdrawal; 
• The right to lodge a complaint with the Supervisory Authority;
• Whether providing Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
• The existence of any automated decision-making, including profiling, and explanatory information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
• Where Veristat intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected.

7.2. Veristat has also implemented a website privacy policy and can provide to its users a copy of physical and digital formats upon request. The website privacy policy is the customer facing policy that provides the legal information on how Veristat handles, processes and discloses Personal Data of website visitors.

8. Rules on Consent

When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), where Processing is based on “consent”, Verisat
ensures that:

• Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms;
• Consent is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes;
• Consent is always given by a statement or a clear affirmative action (positive optin) which signifies agreement to the Processing of Personal Data;
• Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand;
• Pre-ticked, opt-in boxes are not used;
• Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts), Veristat ensures that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service);
• Along with Veristat, details are provided of any other Third Party who will use or rely on the consent;
• Consent is always verifiable, and Veristat has controls in place to ensure that it can demonstrate consent in every case.

9. Consent Controls

9.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), Veristat maintains updated records of Consent to
demonstrate that, where applicable, the Data Subject has consented to Processing of his or her Personal Data.

9.2. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), Veristat also implemented the following consent
control mechanisms:

• Opt-out links in mailings or electronic communications;
• Opt-out process explanation and steps on the company website and in all written communications;
• Ability to opt-out verbally, in writing or by email;
• Consent withdrawal requests are processed immediately and without detriment;
• Where services are offered to children, age-verification and parental-consent measures have been developed and are in place to obtain consent;
• Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents;
• For Special Category of Personal Data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the Processing purpose(s) always being specified.

10. Register of Processing Activities

• Veristat keeps a register of the Processing of Personal Data conducted in the capacity of Data Privacy Controller and of Data Processor (‘Register of Processing Activities’), in a clear and easy to read format and readily available to the Supervisory Authority upon request.
• Each Data Manager shall promptly report to the DPO any change in the activities performed by their department, which has or may have an impact on the personal data process by such department, so that the DPO can update the Register of Processing Activities.
• In the case of new Processing or modifications to existing Processing, the DPO shall be immediately informed so that the Register of Processing Activities can be updated.

11. Third-Party Data Processors and Third-Party Data Privacy Controllers

• Veristat may instruct Third Parties to perform certain Processing activities on its behalf.
• When a Third Party has to be selected for such purpose, Veristat: Performs a preliminary privacy audit to assess if such Third Party has implemented adequate organizational and security measures; and records all Personal Data that have to be transferred outside the organization.
• The Third Party is then authorized to receive and process that Personal Data by virtue of a data processing agreement whereby the Third Party is entrusted with the duties and responsibility of a Data Processor.
• Before transferring Personal Data to a Third Party, Authorized Personnel must verify, with the assistance of the Data Manager of their department, that the selected Third Party is authorized to process the Personal Data to be transferred.
• Veristat also recognises that the continued protection of the security of Personal Data and Data Subjects’ rights is a top priority when choosing or maintaining a contractual arrangement with a Third Party. Therefore, audits of Data Processors may be also performed regularly during the contractual relationship with them, with or without cause.
• If the Third Party acts in the capacity of independent Data Privacy Controller (or also of joint Data Privacy Controller), specific clauses governing the data protection responsibilities of each party are included in the written contractual arrangement with such Third Party.
• If the Third Party (in the capacity of Data Privacy Controller and Data Processor) is intended to receive from Veristat Special Categories of Personal Data, particular care will be taken in the selection of the Third Party and in the assessment of the organizational and security measures implemented by such Third Party.

 12 Privacy by Design and Privacy by Default

12.1.  When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), Veristat utilizes various security mechanisms to
protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction in light of the risks involved in the Processing and the nature of the Personal Data.

• Before beginning any Processing of Personal Data, Authorized Personnel – with the support of the Data Manager of their department and, when necessary, of the DPO – will perform an assessment to identify the appropriate technical and
  organizational measures to effectively implement the Data Protection principles and obligations;
• The aim of the assessment performed is to identify and integrate into the planned Processing on the Personal Data the safeguards required by this Policy and the applicable Data Protection Laws to protect Data Subjects’ rights;
• The assessment will take in due consideration the state of the art and the costs of implementation, the nature, sphere of application, context and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects. In
  particular, Veristat applies the following controls and measures:
  • Data Minimization: systems, processes and activities are designed to limit the collection and Processing of Personal Data to what is directly relevant and necessary to accomplish the specified purpose. Personal Data shall be regularly reviewed and updated if it is found to be out of date and Personal Data no longer required will be securely disposed of.
  • Pseudonymization: where possible, pseudonymization techniques are used to record, process and store Personal Data to ensure that it can no longer be attributed to a specific Data Subject without the use of separate, additional information (i.e. a personal identifier).
  • Encryption: for transferring Personal Data to a Third Party, a secret key is used to make Personal Data inaccessible unless decryption of the dataset is carried out using the assigned key. Encryption is also used to protect the personal identifiers removed after the use of pseudonymization techniques.
  • Restriction: access to Personal Data is restricted only to Authorized Personnel that needs to have access to such Personal Data to perform their job functions. Personal Data will be maintained securely and will not be disclosed to unauthorized individuals, whether internally or externally.
  • Training: Veristat ensures that Authorized Personnel are trained on this Policy and the applicable Data Protection Laws. The DPO will advise and guide Authorized Personnel and Data Manager on relevant privacy requirements.

• All Authorized Personnel, in the context of their assigned tasks and the Processing conducted, must ensure that Veristat has implemented technical and organizational security measures appropriate to the potential risks to ensure, by default, that only the Personal Data necessary for the specific purposes of the Processing are processed. In this context, unless it appears from the company documentation that Veristat had already approved the Processing, Authorized Personnel must bring the Processing to the attention of the relevant Data Manager and, if necessary, to the DPO to conduct the necessary impact assessments, to identity potential risks and the organizational and security measures to be taken.

13. Security Measures

• Personal Data are protected with appropriate security measures, taking into account the status of technical innovation, their nature and the specific features of the Processing.
• Security measures can be defined as all those technical measures, electronic devices and/or computerised application systems, which are used to guarantee the following conditions: Personal Data are not destroyed or lost, accidentally or otherwise; Only Authorized Personnel can access Personal Data on a “need to know basis”; No Processing, which is unlawful or inconsistent with the purposes for which Personal Data were collected, is performed.
• In particular, Veristat has implemented the following security measures: Risk of Personal Data Breaches are managed through the Data Breach Handling Procedure; Personal Data will be maintained securely, strong passwords will be utilized (and
  enforced by the Information Technology policies and infrastructure);Personal Data will not be disclosed to unauthorized individuals, whether internally or externally; Personal Data are regularly reviewed and updated; Personal Data no longer required will be securely disposed of; During a clinical trial, Personal Data are pseudonymized; however, should Personal Data of study participants be inadvertently received from the Hospital Site, an Investigator or other source with identifying information contained within, the Personal Data will be returned to the originating source and a redacted version requested. If would not be feasible, then personal identifiers will be eliminated by Veristat from Personal Data to ensure propagation of identifying information does not occur.

14. Legitimate Interests Assessment (LIA)

• Legitimate interest may provide a legal basis for Processing unless such interest is overridden by fundamental rights and freedoms of the Data Subjects.
• When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), prior to Processing Personal Data based on
  legitimate interest, the existence of such interest must be carefully assessed, including the expectation of the Data Subject that, at the time and in the context of the collection of Personal Data, a Processing for that specific purpose may take place.
• The Legitimate Interests Assessment (hereinafter, “LIA”) is a self-assessment to ensure that the Processing is lawful and complies with the GDPR principles.The LIA includes: purpose test, necessity test and balancing test. 
• A Records of LIAs and outputs is retained to demonstrate compliance with the GDPR, helping to show the proper decision-making processes in place and to justify the outcome. The LIA will be reviewed and refreshed if there is any significant change in the purpose, nature or context of the Processing. In the event that the outcome of the balancing test shall identify a significant risk, a DPIA to assess the risk and potential mitigation actions will be conducted.

15. Data Protection Impact Assessments (DPIA)

• When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat UK employees), processing involving the use of new technologies and/or where there is a likelihood that such Processing could result in a high risk to the rights and freedoms of Data Subjects. In those circumstances, having regard to the nature, subject, context and purposes of the Processing, Veristat performs a prior Data Protection Impact Assessment (DPIA) with the involvement of the DPO.
• Carrying out DPIAs enables Veristat to identify the most effective way to comply with its data protection obligations, mitigating risks and ensure the highest level of protection to Personal Data processed. It is part of the Veristat Privacy by Design approach to assess the impact and risk before carrying out new Processing activities,thus identifying and correcting issues at the source, reducing costs, potential breaches and risks.
• Solutions and suggestions are set out in the DPIA and all risks are rated to assess their likelihood and impact. The aim of solutions and mitigating actions is to ensure that the risk is either: eliminated, reduced or accepted.

16. Prior Consultation with the Supervisory Authority

Veristat, with the assistance of the DPO, shall consult in advance with the applicable Supervisory Authority if a DPIA indicates that the Processing could result in a high risk of the individuals concerned in the absence of additional organizational and security measures.

17. Data Retention, Storage & Disposal

• Veristat has defined retention periods according to the applicable Data Protection Laws, Good Clinical Practice (GCP) and Pharmaceuticals laws and regulations.
• Paper data are stored in a secure location which prevents access by unauthorized personnel. Access to restricted locations is governed by appropriate authorization mechanisms described in Business Continuity Plan. Electronic data are
  stored, secured and backed up according to the requirements of Network and Security Monitoring Policy.
• Electronic and paper records are retained in line with Retention of Records.
• All Personal Data is disposed of in a way that protects the rights and freedom of Data Subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and give priority the protection of the Personal Data in all instances.
• Any file stored in soft copy on the repositories and servers authorized by Veristat must be deleted from the server and any back up or secondary repository upon expiration of the relevant retention period.

18. International Transfers of Personal Data

• Transfer of Personal Data from the European Union or the UK is prohibited to recipients or servers located in third countries where the third country jurisdiction is inadequate, appropriate safeguards have not been implemented, or no derogation or
  exemption applies (i.e., specific consent is obtained).
• If an Authorized Personnel is unsure of the implications of transferring Personal Data outside the European Union or the UK, he/she has to inform the Data Manager and the DPO for the assessment of the specific situation.
• Where Personal Data is being transferred outside the European Union or the UK, the transfer is encrypted with a secret key and where possible is also subject to data minimization methods.
• Veristat has implemented a Privacy Data Transfer Register and Data Privacy Transfer Policy so that tracking is easily available, and authorization is accessible.

19. Reporting and Management of Personal Data Breeches

•  Whilst every effort and measures are taken to reduce the risk of Personal Data Breaches, Veristat has dedicated controls and procedures in place for such situations, including for the notification to the Supervisory Authority and Data Subjects concerned, when applicable.
• If a Personal Data Breach occurs, the following actions will be taken: The DPO must be informed within 1 business day if any Authorized Personnel becomes aware of a potential or actual breach, or of a complaint regarding a Personal Data Breach brought by any individual or government agency, and in case of an actual or suspected Personal Data Breach, all Authorized
  Personnel must also implement appropriate mitigation actions, as decided by the DPO in relation to the specific situation, and provide assistance to the DPO for the proper investigation, remediation and notification (if applicable) of the
  Personal Data Breach.
• The DPO will, in particular, carry out a Personal Data Breach investigation to gather any necessary information required in order to make an informed decision regarding the nature of the potential or actual breach, and whether further reporting is required according to the nature, location and severity of the issue.
• This Policy is designed to provide global protection of Personal Data. If a potential or actual breach of Personal Data occurs outside of the European Union/UK, the DPO will ensure any local reporting requirements are adhered to. Actual and suspected Personal Data Breaches will be reported to any required body within 72 hours of occurrence of the breach or the different timeline specified under the applicable Data Protection Laws. The DPO will liaise with all internal stakeholders (including, but not limited to, Senior Management, Information Technology and Quality Assurance & Compliance) to ensure the breach is minimized and that the risk of subsequent or repeated Personal Data Breaches are eliminated through a series of corrective and/or preventive actions.
• Veristat keeps a Data Breach Register. Any and all Personal Data Breaches is recorded into the Personal Data Breach Register that will provide details of: The circumstances of the breach; its consequences; and the measures taken to remedy it.

20. Data Subjects Rights and Subject Access Request (SARs)

GDPR grants various rights to the Data Subjects whose Personal Data are processed:

• Subject Access Requests (SARs) can be made to the DPO via data_privacy@veristat.com.
• If any Authorized Personnel receives a SAR, he/she must forward that request to the DPO sending an email to data_privacy@veristat.com within 1 business day of receipt of the request. The DPO, also with the support of the Data Manager, will assess the SAR within 1 business day of receipt and determine the reason for the request and the lawfulness of the Processing. SARs must be responded to within 1 calendar month of receipt of the initial SAR. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further
  months where necessary. However, this is only done in exceptional circumstances and the Data Subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.
• Any requested information is provided to the Data Subject free of charge and in writing, or by other means authorized by the Data Subject and, when applicable, with prior verification as to the Data Subject’s identity (i.e. verbally, electronic).
  
  

21. Recourse, Enforcement and Liability

• Any complaints or concerns regarding the use, disclosure or transfer of Personal Data by Veristat should in the first instance be directed to the Veristat DPO at data_privacy@veristat.com
• Complaints that cannot be resolved internally by Veristat will be referred to the applicable Supervisory Authority (i.e. ICO, another EU DPAs or a competent non-EU authority) to address complaints and provide appropriate recourse, which will be
  provided free of charge to the individual.

22. Inquiries and Complaints

Veristat commits to resolve inquires and complaints about its Processing of Personal Data in compliance with this Policy and applicable Data Protection Laws. Individuals with inquiries or complaints regarding this Privacy Policy may first contact Veristat at data_privacy@veristat.com.

23. Auditing

• Veristat will also perform periodic audits with a view to ensuring that the organizational and security measures in place, to protect Data Subjects and their Personal Data, are adequate, effective and compliant at all times.
• The DPO has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement and action plans to the Senior Management.
• All reviews and audits are recorded by the DPO and audit reports are provided to Senior Management for review and approval and can be made available to the Supervisory Authority upon request.

24. Violation of the Policy

• Any breaches of this Policy must be reported to the relevant Data Manager, Senior Management and the DPO

  at data_privacy@veristat.com.

Effective: 1 March 2021

Confidential and Proprietary.