1. PURPOSE and SCOPE
endpoint Clinical Inc. (specified within this policy as “endpoint”) respects individual privacy and values the confidence of its customers, clinical trial participants, consumers, business partners and others. This notice is intended to explain to individuals and organizations external to endpoint how endpoint collects, holds, uses and discloses the Personal Information associated with those groups when functioning in the role of data processor for those entities.
In dealing with Personal Information collected from such parties, endpoint adheres to a variety of mandatory protections in accordance with the laws and regulations in the countries in which we operate and has put in place internal procedures to ensure that Personal Information is processed responsibly and in accordance with applicable data protection/privacy laws including the EU’s General Data Protection Regulation 2016/679 as well as the UK Data Protection Act of 2018.
With respect to our customers and other business associates, we may use Personal Information as necessary to: maintain business records relating to past, present and potential customers, suppliers, contractors, joint venture partners and other business associates; collect and store customer information; conduct auditing, facilitate business communications, negotiations, transactions, conferences and compliance with contractual and legal obligations; and to provide goods and services, including clinical studies, to our customers.
Further, with respect to the services we provide, we may use Personal Information in support of our clients’ development programs for their products, which may include collecting demographic information; developing reports or other compilations of information; and monitoring the progress of the services we provide.
The types of individuals and the data that has the potential to be collected in regard to the services that we provide for our customers, and other business associates that fall within the scope of this policy are:
- Healthcare professionals: full name, date of birth, address, telephone number, fax number, email address and mobile phone number; identification number; banking data necessary to make payments to data subject; contract terms, invoices and payment-related information, professional licenses and certificates, work experience, position, professional membership, place of work, qualification, education, professional training, publications, awards, clinical trial experience, information on specialty and subspecialty; and user data, including personal data required to provide healthcare professionals access to web portals, including but not limited to IP address and user login name
- Study subjects: initials, study subject’s code, date of birth, age, gender, ethnicity, race. Additional information such as data related to medical history, health status, sexual life, medical evaluations can be collected based on the clinical trial protocol requirements.
- Study sponsors: contact information, including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title; and information on the specific customer relationship with data exporter, including payments, deliveries, requests.
- Subcontractors, vendors: name, address, telephone, fax numbers, name contact persons, tax numbers, bank details, contract terms, invoices, and payment-related information.
- Investigative sites: name, address, e-mail address, telephone, fax numbers, name of the head of the institution.
- Contact persons at investigative sites: contact information including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title; information regarding qualification and specialized experience.
- Contact persons at study sponsors, subcontractors, vendors: name, position with the subcontractor, e-mail address, telephone, business correspondence.
- Contact persons at external partners other than vendors: contact information, including full name, work address, work telephone number, work fax number, work email address, work mobile phone number and job title, information on joint projects with the data exporter.
- Data Processing: any action performed on data, whether automated or manual.
- Data Subject: refers to the person whose data is processed.
- Data Controller: refers to the person who decides why and how Personal Information or data is processed.
- Data Processor: refers to any third party that processes personal data on behalf of a data controller.
- Model Contractual Clauses: standardized contractual clauses used in agreements between service providers and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law and meet the requirements of the EU General Data Protection Regulation 2016/679.
- Personal Information (or data): any information or set of information that identifies or could be used by or on behalf of endpoint to directly or indirectly identify an individual or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
- Examples of Personal Information include a subject’s personal name, address, telephone number or e-mail address. Personal Information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Information.
- Sensitive Personal Information: Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views, or activities, that concerns health or sex life, or information regarding social security benefits. In addition, should a third party identify information as ‘sensitive Personal Information’, endpoint also treats this a ‘sensitive Personal Information’.
3. INTERPRETATION AND GUIDANCE
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89, not be considered to be incompatible with the initial purposes (‘purpose limitation’).
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)
4. Specific Information for end-users of endpoint Clinical Systems
For all instances where endpoint processes Personal Information (data) on behalf of their Clients, the organization assumes the role of data processor.
4.1. NOTICE and CHOICE: With respect to the services endpoint provides, endpoint collects information on behalf of its clients. It is the responsibility of the client to provide notice to the individuals about the purpose for which personal information is collected and the types of non-agent third parties to which the information shall be disclosed. Where endpoint receives personal information from entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates. Where data are used for a purpose that is materially different from the purpose(s) for which it was originally authorized or disclosed to a third party, we will update this policy to identify those instances and instruct individuals regarding how they can exercise opt in or opt out choice, as applicable.
4.2. DATA INTEGRITY: endpoint will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. endpoint will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
4.3. TRANSFERS TO AGENTS: Transfers to third parties are covered by the provisions in this Policy regarding notice and choice.
4.3.1.Personal Information may be transferred to — and maintained on — computers located outside of state, province, country or other governmental jurisdiction where the data protection laws may differ than those from the immediate jurisdiction.
4.3.2.With regards to the services endpoint provides, if the user is located outside United States and chooses to provide information to endpoint, please note that data is entered into a web user interface whose servers are located in the United States, where it is processed. If needed, endpoint may utilize model contractual clauses and other mechanisms approved by the European Union/EEA may when transferring PII from those regions to the United States in order to comply with privacy requirements from those countries.
4.3.3.In addition, endpoint may transfer data as contracted by the study sponsor or a CRO managing a study on behalf of a sponsor.
4.3.4.endpoint may also share an Individual’s Personal Information with Agents in connection with services that these individuals or entities perform for, or with, endpoint. endpoint may, for example, provide an Individual’s Personal Information to Agents for hosting endpoint’s databases, for data processing services, or to send to that Individual the information that they have requested.
4.3.5.endpoint will obtain assurances from its agents that they will safeguard personal information consistent with this Policy. Where endpoint has knowledge that an agent is using or disclosing personal information in a manner inconsistent with this Policy, endpoint will take reasonable steps to prevent or stop the use or disclosure. Pursuant to the EU-US Data Privacy Framework Program, endpoint Clinical remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
4.3.6.endpoint Clinical remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
4.3.7. endpoint may also be required to disclose an individual’s personal information in response to a lawful request by public authorities, including, but not limited to, national security or law enforcement requirements.
4.4. ACCESS, CORRECTION and LIMITING USE AND DISCLOSURE OF DATA:
4.4.1. endpoint acknowledges the individual’s right to access their personal information. endpoint will, on request, provide an Individual with confirmation regarding whether endpoint is processing Personal Information about them. In addition, upon request of an Individual, endpoint will take reasonable steps to correct, amend, or delete their Personal Information that is found to be inaccurate, incomplete or processed in a manner non-compliant with this Policy, except where the burden or expense of providing access would be disproportionate to the risks to that Individual’s privacy, where the rights of persons other than the Individual would be violated. Individuals may request access via endpoint’s website.
4.4.2. endpoint (in relation to the services it provides), has no direct relationship with medical research subjects participating in a clinical trial and any such Individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Information to endpoint for processing. In cases where the subjects contact endpoint Technical Support directly by phone or email to submit such requests, they will be instructed to contact the study sponsor or investigator and all contact details typically collected by endpoint (name, phone number, email address) will be deleted from the Technical Support system. The client will reach out to endpoint to communicate the subjects’ request and will only provide endpoint the data collected by the IRT system.
4.5. SECURITY: endpoint will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
4.6. ENFORCEMENT: endpoint will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that endpoint determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
4.7. DISPUTE RESOLUTION:
In compliance with the EU-US Data Privacy Framework program’s Principles, endpoint Clinical commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union individuals with DPF inquiries or complaints should first contact endpoint at: email@example.com.
endpoint Clinical has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
EU individuals whose HR data we receive can address questions or comments regarding the handling of that information directly to us at firstname.lastname@example.org. endpoint resolves to deal with all questions regarding this data and any potential grievances arising from it in a timely manner. Note that under certain conditions endpoint may defer to clients for this data.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2. In the event endpoint is unable to accommodate the individual’s request regarding HR data received by us within the context of the work relationship, endpoint further commits to working with the Data Protection Authorities (DPA’s) who cover the jurisdiction the data originated from. For information on how to contact DPA’s, please visit http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
4.8. LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by endpoint to these Data Privacy Framework Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
4.9. INFORMATION COLLECTED AND SUBMITTED ON endpoint IRT Systems
endpoint may collect information that can identify You (but only if openly requested from and provided by You), such as your name, address, phone number, e-mail address, company name and position. endpoint may use this information to respond to your requests for information, products or services.
4.9.1.Session Log and Audit Trail Files
endpoint’s session log files are stored in a secure location and can only be accessed by specified employees of endpoint. This information may be kept indefinitely for historical purposes.
endpoint makes use of multiple databases to record and retrieve information sent to us through IRT systems (such as contact information, name, address, email address, telephone numbers, fax numbers, title, etc.). This information may be kept indefinitely for historical purposes.
4.9.3.Web Browser Cookies
endpoint may assign cookie files, which are a small amount of data endpoint sends to user’s web browsers. Personnel utilizing endpoint IRT websites can expect to receive cookie files.
4.9.4.Information Submitted Through the Website
Clinical Trial Subjects participating in a study which uses endpoint IRT services, or those acting on their behalf, who submit unsolicited information to an endpoint website, including Personal Information, may expect that endpoint shares that information with clients who are responsible for the study. If a Clinical Trial Subject sends an unsolicited email to endpoint’s website regarding a clinical study, endpoint reserves the right to use or disclose the information contained in the email to third parties without seeking any additional consent from the Clinical Trial Subject.
endpoint’s websites also contain forms for completion and submission, such as on a ‘Contact Us’ page. Information submitted will be used for the purposes described on the page containing the form. One may expect that information submitted will be shared with the appropriate endpoint employees and Agents necessary to take action on the information or request submitted. For example, resumes or curriculum vitaes and information related to those seeking employment will be shared with the staff of the endpoint Human Resources Department and other endpoint employees involved in the hiring process.
4.9.5.Web Practices and Children
endpoint’s web sites are not intended or designed to attract children. We do not collect information or data on from children under the age of 13 nor do we desire to receive any information or data from children who visit our web site.
4.10. CONTACT INFORMATION
Questions or comments regarding this Policy should be submitted to our Quality, Trust and Compliance Department either by sending an email to email@example.com, or by writing to our headquarters at the following address:
Quality, Trust and Compliance Department
endpoint Clinical, Inc.
701 Edgewater Drive, Suite 320
Wakefield, MA 01880