Effective Date: 14-Sep-2023
3. Data Collected by CRIO
CRIO is a provider of software and services to life sciences companies for use in the conduct of clinical trials throughout the world. Acting as a third-party agent for our customers, CRIO receives and processes Personal Data (e.g. name, email, phone number) from study sponsors, research sites, various consultants/subcontractors.
As part of the products and services we provide, CRIO processes personal data, and protected health information (including detailed information regarding health status, medical assessments, test results).
CRIO intends that its corporate privacy policies, internal SOPs, and work practices are adequate to ensure compliance with applicable international laws and regulations including the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Protection Act (CCPA), EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Detailed contractual arrangements, SOPs and business policies govern all work with customer data and are available for audit/review by customers and regulatory authorities.
4. Definition of Terms
CRIO Terminology and Acronyms can be found within CRIO’s internal document repository.
5. Dispute Resolution
In compliance with the EU-U.S. Data Protection Framework (DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CRIO commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact CRIO at: firstname.lastname@example.org or the mailing address below:
-Data Protection Officer-
177 Huntington Ave., Suite 1703 PMB 32876
Boston, MA 02115-3153
5.1 Alternative Dispute Resolution
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CRIO commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States, the European Union, the United Kingdom, and Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.
6. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC, effective 25-May-2018. This regulation is directly applicable to each member state of the European Union and affects data controllers and processors inside and outside of the EU which collect data on EU data subjects.
CRIO assessed its technical and procedural safeguards to ensure compliance with the GDPR which are outlined below.
6.1 GDPR Definitions
For purposes of this regulation, the following definitions apply:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘third party’ means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
6.2 Notification Standards
Per the GDPR, data controllers are required to provide notice of a “personal data breach” to the supervisory authority “without undue delay, and where feasible, not later than 72 hours after having become aware of it”. As a data processor on behalf of the data controller (as defined in a specific contractual relationship), CRIO commits to the notification standard by following the process outlined in SOP-QMS-002 Quality Event Management.
6.3 Data Protection Officer
CRIO appointed a Data Protection Officer who monitors the organization’s compliance with the GDPR, including managing internal data protection activities, training staff, and conducting periodic reviews of the organization’s GDPR program.
This person also serves as the main contact for interactions with regulatory authorities concerning issues surrounding the processing of personal data. Additionally, this person is responsible for ensuring data subject rights regarding CRIO’s data protection practices, withdrawal of consent, the right to be forgotten, and that related rights are satisfied. This person operates independently from other business units and reports to CRIO senior leadership.
Per the GDPR, consent must be “freely given, specific, and unambiguous” with “a statement or clear affirmative action”. CRIO recommends that sites, sponsors and CROs request consent from the data subject that disclose the data processing activities prior to the collection of data.
At a minimum, include the following to describe CRIO’s processing of the data:
- Description of how CRIO will collect the data – through the CRIO application available via the internet.
- Description of where CRIO will store the data collected through its application.
- Description of how long CRIO will maintain and store the data.
6.5 Data Subject Rights
CRIO addresses Data Subject Rights covering the right of access, rectification and erasure restriction of processing, data portability, and to object through internally developed processes and procedures detailed in SOP-QMS-007 Data Subject Request.
Rights, subject to local law, as outlined in SOP-QMS-007 Data Subject Request include:
- Access to Personal Information;
- Rectification of information CRIO holds about Data Subjects;
- Erasure of Personal Information of Data Subjects;
- Restriction of CRIO’s use of a Data Subject’s Personal Information;
- The right to object to CRIO’s use of Personal Information;
- The right to receive Personal Information in a usable electronic format and transmit it to a third party (right to data portability); and
- The right to lodge a complaint with the local data protection authority if one exists in the Data Subject’s country.
CRIO encourages Data Subjects to contact us to update or correct Your Personal Information if it changes or if the Personal Information CRIO holds is inaccurate. It is likely that additional information may be required to honor the request.
It is possible that the Data Subject may continue to receive materials for a short period of time after a data deletion request while CRIO is updating its lists. A Data Subject’s records will then be permanently deleted from CRIO’s systems.
Data Subjects can exercise their rights by contacting CRIO at email@example.com or the mailing address below:
-Data Protection Officer-
177 Huntington Ave., Suite 1703 PMB 32876
Boston, MA 02115-3153
Our EU representative is Data Protection Representative Limited (trading as ‘DPR Group’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 1-2 Marino Mart, Fairview, Dublin 3, Ireland.
Our representative in Switzerland is DataRep located at the following address:
Zurich, 8050, Switzerland
Our representative in the UK is DataRep located at the following address:
107-111 Fleet Street
London, EC4A 2AB
6.6 Adequacy Decision
Adequacy Decisions allow for data flow from the EU (and Norway, Liechtenstein, and Iceland) to a third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
6.7 Data Protection Impact Assessment & SCC’s
As a processor, CRIO acts on behalf of the controller. When selecting a processor, controllers must use only processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR. CRIO maintains a data protection impact assessment of its platform that can be made available to the controller to demonstrate its compliance with the GDPR.
Additionally, certain contract provisions regarding the tasks and responsibilities of the processor as well as standard contractual clauses are also mechanisms where the controller can establish the provisions of the processing carried out by the data processor. These provisions include how and when data will be returned or deleted after processing, and the details of the processing, such as subject- matter, duration, nature, purpose, type of data and categories of data subjects. The controller and processor may also choose to use standard contractual clauses as the legal basis for transfers of data outside of the EU, Switzerland, and the United Kingdom (and Gibraltar).
CRIO will follow the lead of the controller and either commit to the data protection requirements through contract provisions or standard contractual clauses or other acceptable mechanisms.
6.8 Third Parties
Personal Information of Data Subjects may be shared with agents, contractors or partners of CRIO in connection with services that these individuals or entities perform for, or with, CRIO. These agents, contractors or partners are restricted from using this information in any way other than to provide services for CRIO, or services for the collaboration in which they and CRIO are engaged. CRIO will not give, sell, rent, loan or otherwise disclose any Personal Information to any third party, unless permitted or otherwise authorized to do so.
CRIO reserves the right to share Personal Information in response to duly authorized information requests of any law enforcement agency, court, regulator, government authority, or other third party, where we believe such disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect CRIO’s rights or the rights of any third party.
We also may share aggregate, non-personal information about CRIO’s public-facing website usage with unaffiliated third parties. This aggregate information does not contain any personal identifiable information about our users.
6.8.1 Data Processor Subcontractors
Subcontractors of CRIO are also subject to the same requirements under the GDPR and they are also bound by any contracts with the controller.
The types of subcontractors that are being used include the following:
- Cloud hosting providers
- Third party software that supports our application functionality (including integrations)
- Third party contractors to support the development and maintenance of our products and services.
6.8.2 Liability in Cases of Onward Transfers
CRIO is responsible for the processing of personal data it receives under the Data Privacy Framework and subsequently transfer to a third party agent, and may be liable for onward transfers in violation of the Data Privacy Framework Principles.
6.9 Data Privacy Framework Compliance
The Federal Trade Commission (FTC) has jurisdiction over CRIO’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). CRIO is subject to the investigatory and enforcement powers of the FTC.
6.9.2 Binding Arbitration
By certifying against the EU-U.S. DPF, CRIO is obligated to arbitrate claims and follow terms as set forth in Annex I of the DPF principles, provided that an individual has invoked binding arbitration by delivering notice to CRIO and following the procedures and subject to conditions set forth in Annex I of Principles. For more information, visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset- 35584=2
6.10 CRIO’s mechanisms for transfer of data from EU, United Kingdom, and Switzerland to the U.S.
6.10.1 EU-U.S. Data Privacy Framework
The adequacy decision on the EU-U.S. Data Privacy Framework from 10-Jul-2023 covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework. By committing to the EU-U.S. Data Privacy Framework, CRIO is able to leverage the adequacy decision by the European Commission and use the framework as a mechanism to safely and freely transfer data from the EEA to the United States.
6.10.2 Standard Contractual Clauses
Where required by the controller and where applicable, CRIO will enter into the Standard Contractual Clauses, which are EU Commission-approved contracts between data exporters within the EU and data importers in so-called “third countries,” to transfer personal data from within the EU to recipients in those third countries in accordance with GDPR.
It must be noted that personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. Thus, CRIO continues to rely on the SCCs as the transfer mechanism for data from the UK and Gibraltar.
Furthermore, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. Thus, CRIO continues to rely on the SCCs as the transfer mechanism for data from Switzerland.
6.11 How does CRIO maintain compliance with GDPR, the Swiss Federal Act on Data Protection (FADP) and the UK GDPR?
By maintaining compliance with the EU-U.S. DPF, CRIO customers can opt to leverage the EU-U.S. DPF as an acceptable transfer mechanism.
Additionally, CRIO’s standard Data Processing Addendum incorporates the Standard Contractual Clauses (SCCs) for any transfers of personal data from within the EU, UK, and Switzerland to the U.S. that occur in connection with CRIO’s performance of its services.
- For any existing customers, whose current agreements do not already include the DPA and SCCs, CRIO can agree to amend the agreement to incorporate both.
- By executing its DPA and the SCCs, CRIO becomes legally obligated to comply with the relevant requirements of GDPR that apply to CRIO’s performance of its services. To that end, CRIO maintains robust internal policies and procedures to ensure data security, integrity, and data privacy.
- Data collected within CRIO within a certain region is subject to be stored regionally (e.g. EEA, UK, and Swiss data is maintained in the EU data center location).
- All data is encrypted (256-bit AES) in transit to CRIO’s databases and is maintained in pseudonymized form within CRIO’s systems.
7. California Consumer Privacy Act (CCPA)
10. Employee Responsibility
The security of data collected by CRIO, which includes sensitive clinical study data, is a responsibility of all CRIO employees. Unauthorized acquisition, access, use, or disclosure of personal data (including special categories of personal data) and Protected Health Information (PHI) in any form (verbal, paper, or electronic) in a manner not permitted by contractual agreements or CRIO policies or procedures, which compromise the security or privacy of the personal data and PHI, is prohibited.
If an employee becomes aware or suspects that an activity or conduct, which is proposed or has taken place, violates data privacy and/or information security policies or procedures, then the employee has the duty to report the incident immediately. Any such incidents must be reported either to the employee’s direct supervisor, the head of Human Resources, the head of Quality & Compliance, or Management.
11. Reporting Violations
Employee conduct can reinforce an ethical atmosphere and positively influence the conduct of fellow employees. If an employee is powerless to stop a suspected misconduct or discovers suspected misconduct after it has occurred, the employee must report their suspicions to their direct supervisor, the head of Human Resources, the Data Protection Officer, or Management.
Any reports that involve Management will be immediately communicated to the Board of Directors.
Violations reported by employees, whether by telephone, detailed notes and/or emails shall be dealt with confidentiality.
A failure to report known or suspected wrongdoing, about CRIO’s business, may, by itself, subject that individual or entity to disciplinary action, up to and including termination of employment.
No disciplinary action or other forms of retaliation or revenge will be taken against any employee who, in good faith, reports a concern, issue, problem or violation of law or regulation or Code of Conduct.
12. Employee Training
Due to the nature and importance of Data Privacy and to remediate the risk of regulatory compliance deviations, CRIO employees are subject to annual data privacy training. All individuals within the organization must have the appropriate training and qualifications to perform the tasks they are assigned in support of the environment containing regulated data.
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- EU-U.S. Data Privacy Framework (EU-U.S. DPF)
- Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
- UK Extension of the EU-U.S. Data Privacy Framework