Veristat may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective and past), Investigator and other sites staff, clinical trial participants and sponsors of clinical trials where Veristat provides contracted clinical trial services to clients, visitors to the website, or any other individual that Veristat has a relationship with or may need to contact.
Unless otherwise specified in the policy, this policy applies to all Processing operations carried out by Veristat in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Veristat’s Data Protection standards and to comply with international regulations governing Data Privacy. When Veristat process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Veristat). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union or the UK. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Veristat.
* * *
The General Data Protection Regulation (EU) (2016/679) (“GDPR”) is underpinned by 6 primary principles (Article 5 of the GDPR), as follows:
Depending on the type of Processing (e.g. marketing, contractual or legal obligations), the type of Personal Data (e.g. data relating to health), and the type of Data Subjects to which the Personal Data relate (e.g. children/minors), further principles and obligations may be imposed.
Authorised Personnel: Employees and consultants of Veristat (acting either as Data Privacy Controller or Data Processor), who are authorised to process or use the Personal Data on the basis of the tasks assigned to them in the performance of their duties.
Data Privacy Controller: The natural or legal person that determines the purposes, conditions, and means of the Processing of Personal Data — i.e., a company or organization which requires Personal Data. For the purposes of this Policy and with reference to the Processing described therein, the Data Privacy Controller is Veristat.
Data Privacy Coordinators: Internal focal points, identified for organisational purposes, for the practical and operational management of the Processing activities (e.g. T&C manager, Legal manager, etc.).
Data Privacy Breach: A data privacy breach is defined as a breach of security in a company, either Data Privacy Controller or Data Processor, which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Privacy Officer (DPO): An individual either internal or external to the organization tasked with informing and advising the organization/business and its employees/consultants about their obligations to comply with the Data Protection Laws; working towards the compliance with this policy and other Data Protection Laws; being the first point of contact for supervisory authorities/dispute resolution bodies and individuals whose data is processed.
Data Processor: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller, such as cloud service providers or data analytics firms. Veristat may act as Data Processor on behalf of Clinical Trial Sponsors. Standard language related to obligations for Data Privacy and Data Processing will be included in Master Services Agreements (MSAs) or specific Data Processing Agreements (DPAs) with Clinical Trial Sponsors.
Data Protection Laws: For the purposes of this policy, the collective description of the GDPR, the UK GDPR the UK Data Protection Act 2018, and any other relevant data protection laws that Veristat complies with.
Data Subjects: An individual who is the subject of Personal Data.
Personal Data: Information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory Authority: An independent entity or independent dispute resolution body that has the duty of hearing, investigating, and ultimately verifying complaints made by Data Subjects on privacy matters.
Third Party: A natural or legal person, public authority, agency or body other than the Data Subject, under the direct authority of Veristat, or as an independent Data Privacy Controller or joint Data Privacy Controller.
This Data Privacy Policy will also ensure that timely notice is provided whenever confidential information (including, but not limited to, “personal information” protected under applicable data security laws such as M.G.L. c. 93H and 201 CMR 17.00 et seq.) has been compromised as a result of a breach of Veristat’s internal and external data security measures. The notice to be provided to the resident of the Commonwealth of Massachusetts shall include the following information; the individual’s right to obtain a police report; direction on how to request a security freeze on his or her credit report; and any fees required to be paid to any consumer reporting agencies. The notice to affected residents shall not include the nature of the data security breach or the number of affected residents of the Commonwealth of Massachusetts. Veristat shall cooperate with law enforcement in its investigation of any data security breach incident and shall share all information relevant to the incident, with the exception of confidential business information and trade secrets.
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat’s UK employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e. legal basis); the Data Privacy Controller has obtained the previous informed, freely given and documented consent of the Data Subject or processing is necessary for compliance with legal obligations or regulation; for the performance of an agreement, for the protection of the data subject or of another natural person, of the performance of a task carried out in the public interest or in the exercise of official authority.
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat’s UK employees), Veristat maintains updated records of Consent to demonstrate that, where applicable, the Data Subject has consented to Processing of his or her Personal Data.
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat’s UK employees), Veristat also implemented the following consent control mechanisms; opt-out links in mailings or electronic communications; opt-out process explanation and steps on the company website and in all written communications; the ability to opt-out in writing or by email. Consent withdrawal requests are processed immediately and without detriment.
Personal Data are protected with appropriate security measures, taking into account the status of technical innovation, their nature and the specific features of the Processing. Security measures can be defined as all those technical measures, electronic devices and/or computerised application systems.
Legitimate interest may provide a legal basis for Processing unless such interest is overridden by fundamental rights and freedoms of the Data Subjects. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Veristat’s UK employees), prior to Processing Personal Data based on legitimate interest, the existence of such interest must be carefully assessed, including the expectation of the Data Subject that, at the time and in the context of the collection of Personal Data, a Processing for that specific purpose may take place. The Legitimate Interests Assessment (hereinafter, “LIA”) is a self-assessment to ensure that the Processing is lawful and complies with the GDPR principles.
Veristat has defined retention periods according to the applicable Data Protection Laws, Good Clinical Practice (GCP) and Pharmaceuticals laws and regulations.
GDPR grants various rights to the Data Subjects whose Personal Data are processed. Veristat complies with those rights. Subject Access Requests (SARs) can be made to the DPO via data_privacy@veristat.com.
Questions, comments, concerns or complaints regarding this Policy or Veristat’s processing of Personal Information should be submitted to the Veristat Chief Privacy Officer at PrivacyOfficer@Veristat.com.
Veristat reserves the right to share an Individual’s Personal Information and contracts with Agents as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.
This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Information is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.
Veristat PRIVACY POLICY EFFECTIVE DATE: 26 FEB 2021