endpoint respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. In dealing with personal information collected from such entities, endpoint adheres to a variety of mandatory protections in accordance with the laws and regulations in the countries in which we operate and has put in place internal procedures to ensure that personal information is processed responsibly and in accordance with applicable data protection/privacy laws.
For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that collects or uses personal information under the instructions of, and solely for, endpoint or to which endpoint discloses personal information for use on endpoint’s behalf.
“endpoint” means endpoint Clinical, Inc., and its affiliates in the United States and around the world.
“Personal information” means any information or set of information that identifies or could be used by or on behalf of endpoint to directly or indirectly identify an individual or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Examples of Personal Information include a Data Subject’s or Study personnel name, address, telephone number or e-mail address. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.
“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities, that concerns health or sex life, information about social security benefits. In addition, endpoint will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.
The personal data transferred concern the following categories of data subjects, as applicable for the given endpoint services:
1. Staff, including employees, contractors, free-lance, part-time, trainees
2. Healthcare professionals
3. Study subjects
4. Study sponsors
5. Subcontractors, vendors
6. Investigative sites
7. Contact persons at investigative sites
8. Contact persons at study sponsors, subcontractors, vendors
9. Contact persons at external partners other than vendors and sponsors, e.g., third parties participating in meeting, conferences, trainings, audits
Categories of Data:
The personal data transferred concern the following categories of data:
1. Staff: Contact information including full name, work address, work phone number, work fax number, work email address, work mobile phone number, office e-mail address, office phone number, company cellular phone number, employment location, job title, assigned employee ID in corporate systems; Also, job function-related data, including job function, contractual details, education, work experience, CV, data about employee appraisal, national ID type, national ID, citizenship status, citizenship country, nationality, date of birth, gender, language skills, national and international passport details, travel visa details, issue country, passport issue city, passport issue state, passport expiry date, visa status, country for visa/permit (country name for which visa is applied/granted), home address, emergency contact information, employment location, contractual details, department, supervisor, employee expenses, education, company training history, performance rating history, birth country, birth city, days of absence taken per year, personal data required to provide data subjects with access to company computer systems and networks and tools to electronically communicate in terms of data importer’s service, including but not limited to IP address and user login name, passwords.
2. Healthcare Professionals: full name, date of birth, address, telephone number, fax number, email address and mobile phone number; identification number; banking data necessary to make payments to data subject; contract terms, invoices and payment-related information, professional licenses and certificates, work experience, position, professional membership, place of work, qualification, education, professional training, publications, awards, clinical trial experience, information on specialty and sub-specialty; and user data, including personal data required to provide healthcare professionals access to web portals, including but not limited to IP address and user login name.
3. Study subjects: initials, study subject’s code, date of birth, age, gender, ethnicity, race, medical history, health status, sexual life, medical evaluations.
4. Study sponsors: contact information, including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title; and Information on the specific customer relationship with data exporter, including payments, deliveries, requests.
5. Subcontractors, vendors: name, address, telephone, fax numbers, name contact persons, tax numbers, bank details, contract terms, invoices and payment-related information.
6. Investigative sites: name, address, e-mail address, telephone, fax numbers, name of the head of the institution, bank details, taxpayer information, contract terms, invoices and payment-related information.
7. Contact persons at investigative sites: contact information including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title; information regarding qualification and specialized experience, standard forms required by regulatory authorities.
8. Contact persons at study sponsors, subcontractors, vendors: name, position with the subcontractor, e-mail address, telephone, business correspondence.
9. Contact persons at external partners other than vendors: contact information, including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title, information on joint projects with the data exporter.
Special categories of data (if appropriate)
The personal data transferred concerns the de-identified health related data of study subjects.
endpoint collects, processes, and stores Personal Information for the following purposes:
With respect to our customers and other business associates, we may use Personal Information as necessary to: maintain business records relating to past, present and potential customers, suppliers, contractors, joint venture partners and other business associates; collect and store customer information; conduct auditing, facilitate business communications, negotiations, transactions, conferences and compliance with contractual and legal obligations; and to provide goods and services, including clinical studies, to our customers.
With respect to the services we provide, we may use Personal Information in: support of our clients’ development programs for their products, which may include collecting demographic information; developing reports or other compilations of information; and monitoring the progress of the services we provide.
endpoint is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and United States Food and Drug Administration (FDA).
The privacy principles in this Policy have been developed based on the US-EU Privacy Shield Principles and US-Swiss Safe Harbor Principles.
NOTICE and CHOICE: With respect to the services endpoint provides, endpoint collects information on behalf of its clients, the client shall be responsible for providing notice to the individuals about the purpose for which it is collected and the types of non-agent third parties to which the information shall be disclosed. Where endpoint receives personal information from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.
DATA INTEGRITY: endpoint will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. endpoint will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Transfers to third parties are covered by the provisions in this Policy regarding notice and choice.
Personal Information, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
In regards to the services endpoint provides, if the user is located outside United States and choose to provide information to us, please note that data is entered into a web user interface whose servers are located in the United States, where it is processed.
In addition, endpoint may transfer your data as contracted by the study sponsor or a CRO managing a study on behalf of a sponsor.
endpoint may also share an Individual’s Personal Information with Agents in connection with services that these individuals or entities perform for, or with, endpoint. endpoint may, for example, provide an Individual’s Personal Information to Agents for hosting our databases, for data processing services, or to send to that Individual the information that he or she requested.
endpoint will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Where endpoint has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, endpoint will take reasonable steps to prevent or stop the use or disclosure.
endpoint may also be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, endpoint is potentially liable.
ACCESS AND CORRECTION: endpoint acknowledges the individual’s right to access their personal information.
endpoint will, on request, provide an Individual with confirmation regarding whether endpoint is processing Personal Information about them. In addition, upon request of an Individual, endpoint will take reasonable steps to correct, amend, or delete their Personal Information that is found to be inaccurate, incomplete or processed in a manner non-compliant with this Policy or the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to that Individual’s privacy, where the rights of persons other than the Individual would be violated or where doing so is otherwise consistent with Privacy Shield Principles.
endpoint (in relation to the services it provides), has no direct relationship with medical research subjects participating in a clinical trial and any such Individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Information to endpoint for processing.
SECURITY: endpoint will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
ENFORCEMENT: endpoint will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that endpoint determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
endpoint has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
endpoint has further committed to refer unresolved privacy complaints under the US-Swiss Safe Harbor to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
EU and Swiss individuals whose HR data we receive can address questions or comments regarding the handling of that information directly to us at firstname.lastname@example.org. We resolve to deal with all questions regarding this data and potential grievances arising from it in a timely manner. Note that under certain conditions we may, as a data processor, have to refer you to our client who is the data controller.
In the event endpoint is unable to accommodate the individual’s request regarding HR data received by us within the context of the work relationship, we further commit to working with the Data Protection Authorities (DPA’s) who cover the jurisdiction the data originated from. For information on how to contact your jurisdiction’s DPA, visit http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
Adherence by endpoint to these Privacy Shield Principles and US-Swiss Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
endpoint may collect information through its websites that can identify You (but only if openly requested from and provided by You), such as your name, address, phone number, e-mail address, company name and position (As referred in the Definitions section of this policy). endpoint may use this information to respond to your requests for information, products or services. We do not automatically collect Personal Information, including your email address.
Session Log and Audit Trail Files
Our Session log files are stored in a secure location, and can only be accessed by specified employees of endpoint. This information may be kept indefinitely for historical purposes.
We make use of multiple databases to record and retrieve information sent to us through our IRT systems (such as contact information, name, address, email address, telephone numbers, fax numbers, title, etc.). This information may be kept indefinitely for historical purposes.
Web Browser Cookies
When you use our sites, endpoint may assign cookie files, which are a small amount of data we send to your web browser. Personnel utilizing endpoint IXRS websites can expect to receive cookie files to enable us to track the patterns of activities engaged in by different users.
Information Submitted Through the Website
Clinical Trial Subjects participating in a study which uses endpoint IRT services, or those acting on their behalf, who submit unsolicited information to an endpoint website, including Personal Information, may expect that we will share that information with our client who is responsible for the study. If a Clinical Trial Subject sends an unsolicited email to our website regarding a clinical study, we reserve the right to use or disclose the information contained in the email to third parties without seeking any additional consent from the Clinical Trial Subject.
Our websites also contain forms for completion and submission, such as on our ‘Contact Us’ page. Information submitted via these forms will be used for the purposes described on the page containing the form. You may expect that information submitted will be shared with the appropriate endpoint employees and Agents necessary to take action on the information or request submitted. For example, resumes or curriculum vitaes and information related to those seeking employment will be shared with the staff of the endpoint Human Resources Department and other endpoint employees involved in the hiring process.
Web Practices and Children
endpoint’s web sites are not intended or designed to attract children. We do not collect information or data on our Web site from children under the age of 13 nor do we desire to receive any information or data from children who visit our web site.
Questions or comments regarding this Policy should be submitted to the endpoint Compliance Office by mail to:
endpoint Quality Assurance
endpoint Clinical, Inc.
55 Francisco Street, Suite 200,
San Francisco, CA-94133
Or by e-mail to the endpoint Compliance Office at email@example.com
Please provide additional detail about your trial design and IRT needs. Let us know how best to reach you and a member of our team will contact you shortly.
Call us from within the United States:
Calling from outside the United States?