Purpose
The purpose of this policy is to ensure that Veristat, LLC and its subsidiaries (“Veristat”) meets its legal, statutory and regulatory obligations under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and in the Data Subjects’ best interest.
Veristat is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the UK Data Protection Act 2018 and other applicable laws governing the processing of personal data (the “Data Protection Laws”).
Veristat may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective
and past), Investigator and other sites staff, clinical trial participants and sponsors of clinical trials where Veristat provides contracted clinical trial services to clients, visitors to the website, or any other individual that Veristat has a relationship with or may need to contact.
Data is transferred outside the UK on the basis of declaration of adequacy.
Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Veristat in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Veristat Data Protection standards and to comply with international regulations governing Data Privacy. When Veristat process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Veristat). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union (EU),the United Kingdom (UK), or Switzerland. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Veristat.
Veristat and its U.S. operating subsidiary, Instat Clinical Research (collectively referred to as “Veristat”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Veristat has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Veristat has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Scope
This document is relevant to all employees of Veristat, and those contracted to perform tasks on behalf of Veristat. It is the responsibility of each employee or contractor to ensure that, at all times, data are collected, handled, stored and disposed of in
compliance with all of the requirements of this policy and the applicable Data Protection Laws.
Procedure
1. The Principles of Data Privacy
1.1. The General Data Protection Regulation (EU) (2016/679) (“GDPR”) is underpinned by 6 primary principles (Article 5 of the GDPR), as follows:
- Processes lawfully, fairly and in a transparent manner.
- Collected for specific, explicit and legitimate purposes and not further processed in an incompatible manner.
- Adequate, relevant, and limited to what is necessary.
- Accurate, and where necessary, kept up to date.
- Not kept any longer than is necessary, in a form which permits identification of a subject.
- Appropriate organization and security measures ensuring protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Ensure appropriate measures, records and controls are in place to be able to demonstrate compliance.
1.2. Depending on the type of Processing (e.g. contractual or legal obligations, marketing), the type of Personal Data (e.g. data relating to health), and the type of Data Subjects to which the Personal Data related (e.g. children/minors), further principles and obligations may be imposed.
2. Definitions
Authorized Personnel is all employees and consultants of Veristat (acting either as Data Privacy Controller or
Data Processor), who are authorized to process or use the Personal Data on the basis of the tasks assigned to them in the performance of their duties.
Data Privacy Controller is the natural or legal person that determines the purposes, conditions, and means of the Processing of Personal Data — i.e., a company or organization which requires Personal Data. For the purposes of this Policy and with reference to the Processing described therein, the Data Privacy Controller is Veristat.
Data Privacy Coordinators are internal focal points, identified for organisational purposes, for the practical and
operational management of the Processing activities (e.g. T&C manager, Legal manager, etc.), therefore a Data Manager is identified inside each Veristat departments.
Data Privacy Officer (DPO) is an individual either internal or external to the organization tasked with the
following responsibilities: Informing and advising the organization/business and its employees/consultants about their obligations to comply with the data protection laws; Working towards compliance with this policy and other Data Protection Laws. This may include monitoring specific processes, managing or supervising internal Personal Data protection activities, advising on data protection impact assessments, as well as increasing employees/consultants awareness for data protection and training them on compliance with this policy; Being the first point of contact for supervisory authorities/dispute resolution bodies and individuals whose data is processed.
Veristat will ensure that an appropriately trained and qualified individual, or individuals, are assigned as Data Privacy Officer. This will be included in the Job Description of the respective employee(s) or consultant(s).
Data Privacy Breach is defined as breach of security in a company, either Data Privacy Controller or Data Processor, which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller, such as cloud service providers or data analytics firms. Veristat may act as Data Processor on behalf of Clinical Trial Sponsors. Standard language related to obligations for Data Privacy and Data Processing will be included in Master Services Agreements (MSAs) or specific Data Processing Agreements (DPAs) with Clinical Trial Sponsors.
Data Protections Laws, for the purposes of this document, the collective description of the GDPR, the UK GDPR
the UK Data Protection Act 2018, and any other relevant data protection laws that Veristat complies with.
Data Subject is an individual who is the subject of Personal Data.
Personal Data means any information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
An individual natural person can be identifiable, either directly or indirectly. An individual is identifiable if it is possible, also in combination with other Personal Data or through third parties, to distinguish that individual from other members of a group. In some cases, there is no question that an individual can be ‘directly’ identified. A government issued ID, for example, is explicitly and uniquely personal and would always be considered Personal Data. In other cases, a combination of data is required for the data to be deemed Personal Data. Importantly, the data does not need to be already combined, there just needs to be a possibility for it to become combined at some point in the future.
Examples of Personal Data are names, surnames, dates of birth, social security, location or other identifiable personal security information or addresses or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data also includes online identifiers such as IP addresses and mobile device IDs.
Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Personal Data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning physical or mental health and data concerning a natural person's sex life or sexual orientation (e.g. a medical certificate, clinical chart or case history, an email in which an employee states that they are on sick leave, allergies, documentation about injuries, etc.).
Supervisory Authority is an independent entity or independent dispute resolution body that has the duty of hearing, investigating, and ultimately verifying complaints made by Data Subjects on privacy matters. In certain regions, they are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the applicable Data Protection Laws.
Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, under the direct authority of Veristat, or as an independent Data Privacy Controller or joint Data Privacy Controller.
3. Specific Requirements in the Commonwealth of Massachusetts
3.1. This Data Privacy Policy will also ensure that timely notice is provided whenever confidential information (including, but not limited to, “personal information” protected under applicable data security laws such as M.G.L. c. 93H and 201 CMR 17.00 et seq.) has been compromised as a result of a breach of Veristat’s internal and external data security measures. Specifically, this includes the following:
- Data security breaches involving confidential information owned or licensed by a Third Party. For data security breaches involving confidential information that is owned or licensed by a third party, Veristat DPO shall provide prompt written notice to the affected owners and licensors when Veristat knows or has reason to know of a breach of the company’s data security measures or upon learning that confidential information of a resident of the Commonwealth of Massachusetts has been acquired or used by an unauthorized person or used for an unauthorized purpose. Said written notice to the affected owner/licensor shall include the following information: The date or approximate date of the data security breach incident and the nature thereof; and the steps that Veristat has taken or plans to take, if any, relating to the data security breach incident.
- In providing notice to affected owners and licensors of the information, Veristat is not required to disclose confidential business information or trade secrets or to provide notice to any affected resident of the Commonwealth of Massachusetts who may be affected by the data security breach or unauthorized acquisition or use of their confidential information.
- Data security breaches involving Confidential Information owned or licensed by Veristat.
3.2.1. For data security breaches involving confidential information that is owned or licensed by Veristat, Veristat shall provide prompt written notice to the Massachusetts Attorney General, the Director of Consumer Affairs and Business Regulation, and to any affected resident of the Commonwealth of Massachusetts, when Veristat knows or has reason to know of a data security breach or that the confidential information of a resident of the Commonwealth of Massachusetts was acquired or used by an unauthorized person or for an unauthorized purpose. Said written notice to the Attorney General and Director of Consumer Affairs and Business Regulation shall include the following information:
- The date or approximate date of the data security breach incident and the nature thereof;
- The approximate number of residents of the Commonwealth of Massachusetts affected by the data security breach incident; and
- The steps that Veristat has taken or plans to take, if any, relating to the data security breach incident.
3.2.2. The notice to be provided to the resident of the Commonwealth of Massachusetts shall include the following information:
The individual’s right to obtain a police report; How to request a security freeze on their credit report; and any fees required to be paid to any consumer reporting agencies.
3.2.3. The notice to affected residents shall not include the nature of the data security breach or the number of affected residents of the Commonwealth of Massachusetts.
3.3. Notification during Criminal Investigation
- If a law enforcement agency responding to a data security breach incident determines that the provision of the above notices would impede an ongoing criminal investigation, Veristat shall delay notification until informed by law enforcement that notification no longer poses a risk of impeding the investigation.
- Veristat shall cooperate with law enforcement in its investigation of any data security breach incident and shall share all information relevant to the incident, with the exception of confidential business information and trade secrets.
4. Data Sources
Veristat collects and stores data from the following sources :
- Employees, consultants and other contractors
- Investigator sites
- Vendors
- Sponsors
- Website visitors
5. Accountability and Compliance
5.1. Veristat has a mission towards compliance with laws and regulations, including applicable Data Protection Laws. Given the nature, scope, context and purposes of the Processing performed, in particular in the context of clinical trials, regulatory services and study monitoring, Veristat has implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of Personal Data and can evidence such measures through documentation and practices.
5.2. The main governance objectives pursued by Veristat in relation to data privacy are the following:
- Educate Senior Management and Authorized Personnel about mandatory data privacy requirements under the applicable Data Protection Laws;
- Identify key stakeholders to support the data protection compliance program; 5.2.3. Make sure that Authorized Personnel and Data Privacy Coordinators have sufficient access, support and resources to perform their duties; 5.2.4. Identify, create, and communicate privacy related matters according to the Privacy Organizational Model; and 5.2.5. Identify and monitor the technical and organizational measures that Veristat has implemented to ensure and demonstrate compliance with the applicable Data Protection Laws.
6. Legal Basis for Processing
6.1. When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e. legal basis):
6.1.1. The Data Privacy Controller has obtained the previous consent of the Data Subject, and such consent is:
- Informed: a complete privacy notice was provided;
- Issued following a specific request that must be separate from the rest of the text and provided using clear and plain language;
- Freely given: the performance of a contract, including the provision of a service, etc., must not be dependent on the consent;
- Expressed and documented: it is however necessary to keep track of the date of issue of consent as evidence.
6.1.2. Processing is otherwise necessary for:
- Compliance with a legal obligation or regulation (from UK laws, European laws and regulation and applicable national laws in Europe);
- The performance of an agreement or a request made directly by the Data Subject (for example, assistance requested via e-mail or pre-contractual requests);
- The protection of the vital interests of the Data Subject or of another natural person; 6.1.2.4. the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Privacy Controller;
- The fulfilment of a legitimate interest of the Data Privacy Controller or a Third Party, except where such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child.
7. Information to the Data Subjects
7.1. When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK, or Swiss employees), before any Processing (e.g. collection, analysis,
Processing, updating, modification or erasure) or, if the Personal Data are not provided by the Data Subject, within a reasonable period after obtaining the Personal Data, at the time of the first communication to that Data Subject or when the Personal Data are first disclosed, as the case may be, Veristat provides to the Data Subject the following information in the form of a privacy notice:
- The identity and the contact details of the Data Privacy Controller;
- The contact details of the DPO;
- The purpose(s) of the Processing for which the Personal Data is intended;
- The legal basis for the Processing; where the Processing is necessary for the purposes of the legitimate interests pursued by the Data Privacy Controller or by a Third Party, details of the legitimate interests;
- The recipients or categories of recipients of the Personal Data; from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources;
- If applicable, the fact that Veristat intends to transfer the Personal Data to a third country and the existence of an adequacy decision or, in the absence of an adequate decision, reference to the appropriate or suitable safeguards that
Veristat has put in place;
- The period during which the Personal Data will be stored, or if that is not possible, the criteria used to determine the retention period;
- The existence of the right to request access to and rectification or erasure of, Personal Data, restriction of Processing or to object to Processing as well as the right to data portability;
- Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of the Processing based on consent before its withdrawal;
- The right to lodge a complaint with the Supervisory Authority;
- Whether providing Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
- The existence of any automated decision-making, including profiling, and explanatory information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
- Where Veristat intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected.
7.2. Veristat has also implemented a website privacy policy and can provide its users with a copy of physical and digital formats upon request. The website privacy policy is the customer facing policy that provides the legal information on how Veristat handles, processes and discloses Personal Data of website visitors.
8. Rules on Consent
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK and Veristat European, UK, or Swiss employees), where Processing is based on “consent”, Veristat ensures that:
- Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms;
- Consent is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes;
- Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the Processing of Personal Data;
- Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand;
- Pre-ticked, opt-in boxes are not used;
- Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts), Veristat ensures that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service);
- Along with Veristat, details are provided of any other Third Party who will use or rely on the consent;
- Consent is always verifiable, and Veristat has controls in place to ensure that it can demonstrate consent in every case.
9. Consent Controls
9.1. When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat maintains updated records of Consent to demonstrate that, where applicable, the Data Subject has consented to Processing of their Personal Data.
9.2. When processing Personal Data of Data Subjects that are resident or based in the EU, the UK, or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat also implemented the following consent control mechanisms:
- Opt-out links in mailings or electronic communications;
- Opt-out process explanation and steps on the company website and in all written communications;
- Ability to opt-out verbally, in writing or by email;
- Consent withdrawal requests are processed immediately and without detriment;
- Where services are offered to children, age-verification and parental-consent measures have been developed and are in place to obtain consent;
- Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents;
- For Special Category of Personal Data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the Processing purpose(s) always being specified.
10. Register of Processing Activities
- Veristat keeps a register of the Processing of Personal Data conducted in the capacity of Data Privacy Controller and of Data Processor (‘Register of Processing Activities’), in a clear and easy to read format and readily available to the Supervisory Authority upon request.
- Each Data Manager shall promptly report to the DPO any change in the activities performed by their department, which has or may have an impact on the personal data process by such department, so that the DPO can update the Register of Processing Activities.
- In the case of new Processing or modifications to existing Processing, the DPO shall be immediately informed so that the Register of Processing Activities can be updated.
11. Third-Party Data Processors and Third-Party Data Privacy Controllers
- Veristat may instruct Third Parties to perform certain Processing activities on its behalf.
- When a Third-Party has to be selected for such purpose, Veristat: Performs a preliminary privacy audit to assess if such Third Party has implemented adequate organizational and security measures; and records all Personal Data that have to be transferred outside the organization.
- The Third Party is then authorized to receive and process that Personal Data by virtue of a data processing agreement whereby the Third Party is entrusted with the duties and responsibility of a Data Processor.
- Before transferring Personal Data to a Third Party, Authorized Personnel must verify, with the assistance of the Data Manager of their department, that the selected Third Party is authorized to process the Personal Data to be transferred.
- Veristat also recognises that the continued protection of the security of Personal Data and Data Subjects’ rights is a top priority when choosing or maintaining a contractual arrangement with a Third Party. Therefore, audits of Data Processors may be also performed regularly during the contractual relationship with them, with or without cause.
- If the Third Party acts in the capacity of independent Data Privacy Controller (or also of joint Data Privacy Controller), specific clauses governing the data protection responsibilities of each party are included in the written contractual arrangement with such Third Party.
- If the Third Party (in the capacity of Data Privacy Controller and Data Processor) is intended to receive from Veristat Special Categories of Personal Data, particular care will be taken in the selection of the Third Party and in the assessment of the organizational and security measures implemented by such Third Party.
- Veristat’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles. In particular, Veristat remains responsible and liable under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles if third party agents that it engages to process the personal information on its behalf does so in a manner inconsistent with EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, unless Veristat proves that it is not responsible for the event giving rise to the damage.
12 Privacy by Design and Privacy by Default
12.1. When processing Personal Data of Data Subjects that are resident or based in the EU, the UK, or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat utilizes various security mechanisms to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction in light of the risks involved in the Processing and the nature of the Personal Data.
- Before beginning any Processing of Personal Data, Authorized Personnel – with the support of the Data Manager of their department and, when necessary, of the DPO – will perform an assessment to identify the appropriate technical and
organizational measures to effectively implement the Data Protection principles and obligations;
- The aim of the assessment performed is to identify and integrate into the planned Processing on the Personal Data the safeguards required by this Policy and the applicable Data Protection Laws to protect Data Subjects’ rights;
- The assessment will take in due consideration the state of the art and the costs of implementation, the nature, sphere of application, context and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects. In
particular, Veristat applies the following controls and measures:
- Data Minimization: systems, processes and activities are designed to limit the collection and Processing of Personal Data to what is directly relevant and necessary to accomplish the specified purpose. Personal Data shall be regularly reviewed and updated if it is found to be out of date and Personal Data no longer required will be securely disposed of.
- Pseudonymization: where possible, pseudonymization techniques are used to record, process and store Personal Data to ensure that it can no longer be attributed to a specific Data Subject without the use of separate, additional information (i.e. a personal identifier).
- Encryption: for transferring Personal Data to a Third Party, a secret key is used to make Personal Data inaccessible unless decryption of the dataset is carried out using the assigned key. Encryption is also used to protect the personal identifiers removed after the use of pseudonymization techniques.
- Restriction: access to Personal Data is restricted only to Authorized Personnel that needs to have access to such Personal Data to perform their job functions. Personal Data will be maintained securely and will not be disclosed to unauthorized individuals, whether internally or externally.
- Training: Veristat ensures that Authorized Personnel are trained on this Policy and the applicable Data Protection Laws. The DPO will advise and guide Authorized Personnel and Data Manager on relevant privacy requirements.
- All Authorized Personnel, in the context of their assigned tasks and the Processing conducted, must ensure that Veristat has implemented technical and organizational security measures appropriate to the potential risks to ensure, by default, that only the Personal Data necessary for the specific purposes of the Processing are processed. In this context, unless it appears from the company documentation that Veristat had already approved the Processing, Authorized Personnel must bring the Processing to the attention of the relevant Data Manager and, if necessary, to the DPO to conduct the necessary impact assessments, to identity potential risks and the organizational and security measures to be taken.
13. Security Measures
- Personal Data are protected with appropriate security measures, taking into account the status of technical innovation, their nature and the specific features of the Processing.
- Security measures can be defined as all those technical measures, electronic devices and/or computerised application systems, which are used to guarantee the following conditions: Personal Data are not destroyed or lost, accidentally or otherwise; Only Authorized Personnel can access Personal Data on a “need to know basis”; No Processing, which is unlawful or inconsistent with the purposes for which Personal Data were collected, is performed.
- In particular, Veristat has implemented the following security measures: Risk of Personal Data Breaches are managed through the Data Breach Handling Procedure; Personal Data will be maintained securely, strong passwords will be utilized (and enforced by the Information Technology policies and infrastructure);Personal Data will not be disclosed to unauthorized individuals, whether internally or externally; Personal Data are regularly reviewed and updated; Personal Data no longer required will be securely disposed of; During a clinical trial, Personal Data are pseudonymized; however, should Personal Data of study participants be inadvertently received from the Hospital Site, an Investigator or other source with identifying information contained within, the Personal Data will be returned to the originating source and a redacted version requested. If this would not be feasible, then personal identifiers will be eliminated by Veristat from Personal Data to ensure propagation of identifying information does not occur.
14. Legitimate Interests Assessment (LIA)
- Legitimate interest may provide a legal basis for Processing unless such interest is overridden by fundamental rights and freedoms of the Data Subjects.
- When processing Personal Data of Data Subjects that are resident or based in the EEA, UK or Switzerland (for example, patients of clinical sites based in the EEA, UK or Switzerland and Veristat’s European, UK or Swiss employees), prior to Processing Personal Data based on legitimate interest, the existence of such interest must be carefully assessed, including the expectation of the Data Subject that, at the time and in the context of the collection of Personal Data, a Processing for that specific purpose may take place.
- The Legitimate Interests Assessment (hereinafter, “LIA”) is a self-assessment to ensure that the Processing is lawful and complies with the GDPR principles. The LIA includes purpose test, necessity test and balancing test.
- A Records of LIAs and outputs is retained to demonstrate compliance with the GDPR, helping to show the proper decision-making processes in place and to justify the outcome. The LIA will be reviewed and refreshed if there is any significant change in the purpose, nature or context of the Processing. In the event that the outcome of the balancing test shall identify a significant risk, a DPIA to assess the risk and potential mitigation actions will be conducted.
15. Data Protection Impact Assessments (DPIA)
- When processing Personal Data of Data Subjects that are resident or based in the EU, the UK, or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat’s European, UK or Swiss employees), processing involving the use of new technologies and/or where there is a likelihood that such Processing could result in a high risk to the rights and freedoms of Data Subjects, having regard to the nature, subject, context and purposes of the Processing, Veristat performs a prior Data Protection Impact Assessment (DPIA) with the involvement of the DPO.
- Carrying out DPIAs enables Veristat to identify the most effective way to comply with its data protection obligations, mitigating risks and ensure the highest level of protection to Personal Data processed. It is part of the Veristat Privacy by Design approach to assess the impact and risk before carrying out new Processing activities, thus identifying and correcting issues at the source, reducing costs, potential breaches and risks.
- Solutions and suggestions are set out in the DPIA, and all risks are rated to assess their likelihood and impact. The aim of solutions and mitigating actions is to ensure that the risk is either: eliminated, reduced or accepted.
16. Prior Consultation with the Supervisory Authority
Veristat, with the assistance of the DPO, shall consult in advance with the applicable Supervisory Authority if a DPIA indicates that the Processing could result in a high risk of the individuals concerned in the absence of additional organizational and security measures.
17. Data Retention, Storage & Disposal
- Veristat has defined retention periods according to the applicable Data Protection Laws, Good Clinical Practice (GCP) and Pharmaceuticals laws and regulations.
- Paper data are stored in a secure location which prevents access by unauthorized personnel. Access to restricted locations is governed by appropriate authorization mechanisms described in our Business Continuity Plan. Electronic data are
stored, secured and backed up according to the requirements of Network and Security Monitoring Policy.
- Electronic and paper records are retained in line with Retention of Records.
- All Personal Data is disposed of in a way that protects the rights and freedom of Data Subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and give priority the protection of the Personal Data in all instances.
- Any file stored in soft copy on the repositories and servers authorized by Veristat must be deleted from the server and any back up or secondary repository upon expiration of the relevant retention period.
18. International Transfers of Personal Data
- Transfer of Personal Data from the European Union or the UK is prohibited to recipients or servers located in third countries where the third country jurisdiction is inadequate, appropriate safeguards have not been implemented, or no derogation or
exemption applies (i.e., specific consent is obtained).
- If an Authorized Personnel is unsure of the implications of transferring Personal Data outside the EU, the UK, or Switzerland, they have to inform the Data Manager and the DPO for the assessment of the specific situation.
- Where Personal Data is being transferred outside the EU, the UK, or Switzerland, the transfer is encrypted with a secret key and where possible is also subject to data minimization methods.
- Veristat has implemented a Privacy Data Transfer Register and Data Privacy Transfer Policy so that tracking is easily available, and authorization is accessible.
19. Reporting and Management of Personal Data Breaches
- Whilst every effort and measures are taken to reduce the risk of Personal Data Breaches, Veristat has dedicated controls and procedures in place for such situations, including the notification to the Supervisory Authority and Data Subjects concerned, when applicable.
- If a Personal Data Breach occurs, the following actions will be taken: The DPO must be informed within 1 business day if any Authorized Personnel becomes aware of a potential or actual breach, or of a complaint regarding a Personal Data Breach brought by any individual or government agency, and in case of an actual or suspected Personal Data Breach, all Authorized Personnel must also implement appropriate mitigation actions, as decided by the DPO in relation to the specific situation and provide assistance to the DPO for the proper investigation, remediation and notification (if applicable) of the Personal Data Breach.
- The DPO will, in particular, carry out a Personal Data Breach investigation to gather any necessary information required in order to make an informed decision regarding the nature of the potential or actual breach, and whether further reporting is required according to the nature, location and severity of the issue.
- This Policy is designed to provide global protection of Personal Data. If a potential or actual breach of Personal Data occurs outside of the EEA, UK or Switzerland, the DPO will ensure any local reporting requirements are adhered to. Actual and suspected Personal Data Breaches will be reported to any required body within 72 hours of occurrence of the breach or the different timeline specified under the applicable Data Protection Laws. The DPO will liaise with all internal stakeholders (including, but not limited to, Senior Management, Information Technology and Quality Assurance & Compliance) to ensure the breach is minimized and that the risk of subsequent or repeated Personal Data Breaches are eliminated through a series of corrective and/or preventive actions.
- Veristat keeps a Data Breach Register. Any and all Personal Data Breaches is recorded into the Personal Data Breach Register that will provide details of: The circumstances of the breach; its consequences; and the measures taken to remedy it.
20. Data Subjects Rights and Subject Access Request (SARs)
GDPR grants various rights to the Data Subjects whose Personal Data are processed:
RIGHT |
DESCRIPTION |
Right of Access |
It is the right to obtain confirmation of the existence of, and a copy of, the Personal Data, including information on: what Personal Data is being processed; the purposes for which the Personal Data is being processed; - the existence of the right of limiting use and disclosure of Personal Data; - the envisaged period for which the Personal Data will be stored or, where not possible, the criteria used to determine that period; who, if anyone, the Personal Data is disclosed to; and If Personal Data is used for the purpose of making automated decisions relating to the Data Subject and, if so, what logic is being used for that purpose. |
Right to Rectification |
It is the right to have inaccurate Personal Data rectified and incomplete Personal Data completed and supplemented.
|
Right to Erasure / Right to be Forgotten |
It is the right to have the Personal Data erased. |
Right to Restriction of Processing |
It is the right to have the use of the Personal Data restricted (e.g. termination of use of the Personal Data for market analysis purposes). |
Right to Data Portability |
It is the right to obtain in a structured format, in common use and readable by an automatic device, the Personal Data provided, and the right to transmit the said Personal Data to another Data Privacy Controller. |
Right to Object |
It is the right to have Personal Data Processing terminated under certain circumstances (e.g. when the Processing of Personal Data relies on legitimate interest). |
Right not to be Subject to a Decision Based Solely on Automated Processing |
It is the right to not be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning the relevant Data Subject or similarly significantly affects him or her. |
Right to Withdraw Consent |
It is the right to withdraw the consent previously given at any time |
- Subject Access Requests (SARs) can be made to the DPO via data_privacy@veristat.com.
- If any Authorized Personnel receives a SAR, they must forward that request to the DPO sending an email to data_privacy@veristat.com within 1 business day of receipt of the request. The DPO, also with the support of the Data Manager, will assess the SAR within 1 business day of receipt and determine the reason for the request and the lawfulness of the Processing. SARs must be responded to within 1 calendar month of receipt of the initial SAR. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further
months where necessary. However, this is only done in exceptional circumstances and the Data Subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.
- Any requested information is provided to the Data Subject free of charge and in writing, or by other means authorized by the Data Subject and, when applicable, with prior verification as to the Data Subject’s identity (i.e. verbally, electronic).
21. Recourse, Enforcement and Liability
- Any complaints or concerns regarding the use, disclosure or transfer of Personal Data by Veristat should in the first instance be directed to the Veristat DPO at data_privacy@veristat.com
- Complaints that cannot be resolved internally by Veristat will be referred to the applicable independent dispute resolution body/Supervisory Authority designated to address complaints and provide appropriate recourse, which will be provided free of charge to the individual ((1) the panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or (2) the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider based in the European Union and, as applicable, the United Kingdom, and/or Switzerland for HR, or (3) the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States.
- In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
- In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to refer unresolved complaints concerning our handling of non-HR personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution-American Arbitration Associate (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.
- The Federal Trade Commission has jurisdiction over Veristat’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
22. Inquiries and Complaints
Veristat commits to resolve inquires and complaints about its Processing of Personal Data in compliance with this Policy and applicable Data Protection Laws. Individuals with inquiries or complaints regarding this Privacy Policy may first contact Veristat at data_privacy@veristat.com.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. To learn more, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
23. Auditing
- Veristat will also perform periodic audits with a view to ensuring that the organizational and security measures in place, to protect Data Subjects and their Personal Data, are adequate, effective and compliant at all times.
- The DPO has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement and action plans to the Senior Management.
- All reviews and audits are recorded by the DPO and audit reports are provided to Senior Management for review and approval and can be made available to the Supervisory Authority upon request.
24. Violation of the Policy
Effective: 1 Feb 2024
Confidential and Proprietary.