ATTENTION: Please read these terms carefully before using this web site. Using this web site indicates that you accept these terms. If you do not accept these terms, do not use this web site.
PRIVACY SHIELD: Bioclinica complies with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union to the United States. To learn more about our Privacy Shield compliance, view the Privacy Shield section
This policy is effective: 01-APR-2019
This policy was last modified: 20-MAR-2019
DATA OWNER AND PROCESSOR
All data collected on this web site is owned and processed by Bioclinica and its affiliated companies, except as noted in the Summary and Details sections below. Please use the following contact information if you have any questions, complaints or requests regarding the handling of the data collected on this website.
211 Carnegie Center Dr.
Princeton NJ 08540
Any question related to the processing of personal data should be addressed to Bioclinica’s Data Protection Officer (DPO) at firstname.lastname@example.org
SUMMARY OF PERSONAL DATA COLLECTION
Personal Data is collected via the following means, and for the following purposes:
TYPES OF DATA COLLECTED
Among the types of information this application collects, by itself or through third-party services, are:
HOW THE COLLECTED DATA IS USED
Personal Information collected through this site may be used in the following ways:
- To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
- To improve our website in order to better serve you.
- To evaluate your candidacy for clinical trials.
- To follow up with you after correspondence (live chat, email or phone inquiries).
THE RIGHTS OF DATA SUBJECTS
Data Subjects have certain rights regarding the data collected and processed by Bioclinica, Inc and its affiliated companies, including the following:
- The right to withdraw consent: Users have the right to withdraw consent for their information to be processed at any time, except as restricted by national or international regulations, when they have previously expressly given this consent.
- The right to be forgotten: Users have the right to have their personal data removed from the data stored by the system, unless that removal is prevented by law or regulations. For example, once user information is used within a clinical trial, that information must be retained for a period of time defined by various regulations.
- The right to access their data: Users have the right to view the data being stored and processed by the Data Controller, as well as a record of access to that data.
- The right to verify and correct their data: Users have the right to view the data being stored and processed by the Data Controller and request that it be updated or corrected.
- The right to restrict processing of their data: Users have the right, when their data has not yet been processed, to request that their data not be processed, or if their data has already been processed, to request that it not be processed further.
- The right to lodge a complaint: Users have the right to file a complaint with their relevant Data Protection Authority.
How to Exercise the Rights of Data Subjects
Data Subjects and their representatives may exercise their rights under the law by contacting the Data Controller defined in the Data Controller section at the beginning of this document.
LEGAL BASIS FOR THE PROCESSING OF COLLECTED DATA
The Data Controller may process the personal data and health related information provided on this web site relating to Data Subjects if one or more of the following are true:
- The user has given consent for the processing
- Processing of the data is necessary to fulfill an agreement or contract with the user
- Processing of the data is necessary for the purposes of the legitimate interests pursued by the Data Processor
- Processing of the data is necessary for compliance with laws or regulations to which Bioclinica, Inc and its affiliated companies is subject
TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The Data Controller is only allowed to transfer data about Data Subjects collected within the European Union to countries outside the European Union within strict legal guidelines.
Data Transfer to the United States from the European Union or Switzerland – Privacy Shield
The transfer of data from the EU or Switzerland to the United States is conducted in accordance with the provisions set forth in the EU-US Privacy Shield and Switzerland – US Privacy Shield. Refer to EU-US Privacy Shield section of this policy.
Specifically, Personal Data collected within the European Union and Switzerland is transferred to servers in the United States which self-certify under the relevant Privacy Shield framework and thereby guarantee an adequate level of protection of the data being transferred.
STORAGE, PROCESSING AND SECURITY OF COLLECTED DATA
Bioclinica, Inc and its affiliated companies process the data collected through this web site in a proper manner as dictated by national and international laws, regulations and industry best practices, and shall at all times take appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of the data.
The Data Processing is carried out using computers and/or IT enabled tools following organizational procedures and models strictly related to the purposes indicated. In addition to the Data Controller, in some cases the Data may be accessible to certain types of persons in charge, involved with the operation of this web site (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
Additional Information for Medical and Health Related Information
In the process of accessing this web site, you may be prompted to provide medical and health information so that medical professionals may evaluate your potential eligibility for clinical trials. The health information you provide will be handled in accordance with the Health Insurance Portability and Accountability Act of 1996, as amended, and applicable United States and International laws relating to the storage and security of this type of data.
Bioclinica, Inc and its affiliated companies are dedicated to ensuring the security, privacy and integrity of this data. The personally identifiable medical and health information provided are only accessible to medical professionals related to the specific clinical trial, and this information will only be shared with a study site to enable participation in the study, and as required by United States and International laws. This data will never be shared with, or sold to, any third-party, except as strictly necessary for participation in the clinical trial.
Location of Storage of Collected Data
All data collected through this web site is stored at a secure data center or data centers located in the United States of America.
Verification and Validation of Collected Data
You have the right under the law to request, review and correct any personal information that has been collected by this web site, including Medical and Health Information, as well as to be informed of who has had access to this data. Additionally, you may request the secure destruction of Personal Information that has been collected. To do so, please contact us using the contact information at the top of this page.
Security of Collected Data
Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology.
We implement a variety of security measures when a user enters, submits or accesses their information to maintain the safety of your personal information. These measures may include, and are not limited to, multi-layer firewalls, adaptive scanning, and advanced intrusion detection systems.
We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information unless we provide users with advance notice. This does not include website hosting partners and other parties who assist us in operating our web site, conducting our business, or serving our users, so long as those parties agree to keep this information confidential. We may also release information when appropriate to comply with the law, enforce our site policies, or protect our or others' rights, property or safety.
However, non-personally identifiable (anonymous) visitor information may be provided to other parties for marketing, advertising, or other uses.
DETAILS ABOUT THE COLLECTION OF PERSONAL DATA
Personal Information is collected for the following purposes, and through the following mechanisms:
The following table lists the individual cookies used by this web site, and the duration of the cookies:
ADDITIONAL LEGAL INFORMATION
Information Not Contained in this Policy
More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.
Links to Other Web Sites and Applications
EU-US Privacy Shield
Bioclinica is an EU-US Privacy Shield certified entity and is required to ensure 1) subject Protected Health Information (PHI) 2) trial participant Personally Identifiable Information (PII) 3) employee, sponsor personnel, investigative site and vendor contact information is confidential and their identities remain private. The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data between the European Union (EU) and the United States (US). One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.
As an EU-US Privacy Shield certified entity, Bioclinica adheres to the following principles:
- Notice - Individuals must be informed that their data is being collected and about how it will be used.
- Choice - An organization must offer individuals the opportunity to choose (opt out) whether their personal information is used.
- Accountability for Onward Transfer - Transfers of data to sub-processors or third parties may only occur to other organizations that follow adequate data protection principles.
- Security - Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. - Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing.
- Access - Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
- Resource, Enforcement and Liability - Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals.
PII or Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. When identification is impossible, i.e. where the data can be anonymized by permanently disassociating the information from the individual, such data is not considered to be personal data and therefore not subject to data protection rules. Bioclinica does not disclose personal information to third parties unless requested to or supported by trial contract. Bioclinica is subject to the investigatory and enforcement powers of the Federal Trade Commission and Food and Drug Administration. If there is an occurrence where a Bioclinica employee learns of any breach of Client Confidentiality, trial participant PHI, or PII, investigative site, employee or vendor personnel contact information breaches, it is the responsibility of that employee to immediately follow critical issue escalation procedures.
In compliance with the Privacy Shield Principles, Bioclinica commits to resolve complaints about our collection or use of personal information. EU individuals with inquiries or complaints regarding Bioclinica’s Privacy Shield policy should first contact Bioclinica at 211 Carnegie Center Dr., Princeton, NJ 08540.
Bioclinica has chosen the EU DPAs to serve as an independent recourse mechanism (IRM) for dispute resolution (i.e., have agreed to participate in the dispute resolution procedures of the panel established by the EU DPAs to resolve disputes pursuant to the Privacy Shield Framework). Bioclinica has further committed to cooperate with EU data protection authorities (DPAs) with regards to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. Bioclinica maintains liability in cases of onward transfers to third parties if not supported by informed consent or contract. However, Bioclinica may be required to provide personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you. There is a possibility, under certain conditions, for individuals to invoke binding arbitration. Bioclinica Quality Assurance and Regulatory Compliance will follow Bioclinica’s standard compliance reporting strategy to ensure each incident, associated resolution and disposition pathways are documented.
European Union General Data Protection Regulation (GDPR)
Fair Information Practices
The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.
In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:
- Notify affected users via e-mail within 7 business days.
We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.
California Online Privacy Protection Act (CalOPPA)
According to CalOPPA, we agree to the following:
- Users can visit our site anonymously.
You can change your personal information:
- By emailing us
- By calling us
- By chatting with us or by sending us a support ticket
Children Online Privacy Protection Act (COPPA)
When it comes to the collection of personal information from children under the age of 13, the Children's Online Privacy Protection Act puts parents in control. The Federal Trade Commission, United States' consumer protection agency, enforces the COPPA Rule, which spells out what operators of web sites and online services must do to protect children's privacy and safety online.
We do not specifically market to children under the age of 13 years old. We do not collect or maintain information at our web site from those we know are under 13 years of age, and no part of our web site is structured to attract anyone under 13 years of age.
FREQUENTLY ASKED QUESTIONS
How does our site handle Do Not Track signals?
We honor Do Not Track signals and do not track, plant tracking cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.
Does our site allow third party behavioral tracking?
Our site does not allow any third-party behavioral tracking.