This Policy is effective as of 1 August 2017.
ABOUT HEALTH DECISIONS
Health Decisions is a full-service specialty Clinical Research Organization (CRO) that uses data-driven insight and agility to deliver clinical development success, enabling companies to bring products to market earlier and with less risk. Health Decisions’ comprehensive Agile Clinical Development methodology, enabled by proprietary LiveTrial technology, combines with deep development insight and expertise to provide excellence in every aspect of clinical research. Health Decisions’ headquarters is located in Durham, North Carolina.
For the purposes of the Policy, the following definitions shall apply:
“Agent” means any third-party Processing Personal Data on behalf of, and under the instruction of Health Decisions.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“European Union” or “EU” means for the purposes of this Policy all countries within the European Economic Area (EEA).
“Personal Data” means data about an identified or identifiable individual that are within the scope of Directive 95/46/EC (“the Directive”), received by Health Decisions in the United States from the European Union, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.
“Process,” “Processing,” “Processed” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sex life. In addition, Health Decisions will treat as sensitive, any Personal Data received from a third party where that third party treats and identifies the information as sensitive via a Controller or Agent contract with Health Decisions.
LIMITATIONS ON SCOPE
In such cases when Health Decisions is compelled to exercise any such authorization referred to above in (b), it shall limit its non-compliance with the Principles only to the extent necessary to meet the overriding legitimate interests furthered by such authorizations.
Health Decisions acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield and Swiss Privacy Shield.
- Heath Decisions, operating as a CRO, may receive very limited Personal Data related to clinical trial support services from or on behalf of Controllers within the EU or Switzerland. Health Decisions Processes that data in the performance of services for and under the direction of those Controllers. Health Decisions, operating as an employer, may also receive Human Resources data about employees of its affiliates in the EU or Switzerland to carry out employment-related functions, such as benefits administration.
- When Health Decisions acts as a Controller and is the recipient of Personal Data, it shall provide the appropriate notice in clear and conspicuous language when individuals are first asked to provide Personal Data to Health Decisions, or as soon thereafter as is practicable. In addition, when Health Decisions is a Controller it will seek consent prior to using Personal Data for a purpose other than that for which it was originally collected or Processed.
- When Health Decisions acts as a Controller, Health Decisions offers individuals the opportunity to choose (opt out) whether Personal Data is (i) to be disclosed to a non-agent third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.
- For Sensitive Personal Data, when Health Decisions acts as a Controller, Health Decisions will give individuals the opportunity to affirmatively express consent (opt in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Health Decisions will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive via a Controller or Agent contract with Health Decisions.
- When Health Decisions is not the Controller with respect to certain Personal Data, we will effectuate individual choices communicated to us by the Controller.
ACCOUNTABILITY FOR ONWARD TRANSFER
- Health Decisions may share Personal Data with contracted third-parties who act as a Controller or other processors at the direction of those Controllers. Health Decisions shall enter into a contract with third-party Controllers prior to sharing Personal Data.
- Health Decisions takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
DATA INTEGRITY AND PURPOSE LIMITATION
- Health Decisions will only collect and Process Personal Data in a way that is consistent with, and relevant for, the purpose of Processing for which it was collected or authorized by the individual. Health Decisions may use Personal Data for compatible Processing purposes such as those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending Health Decisions’ legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
- Health Decisions will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Health Decisions will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Health Decisions will adhere to the Principles for as long as the Personal Data is retained.
- Upon request, when Health Decisions acts as a Controller, Health Decisions will provide individuals with reasonable access to their Personal Data, and in doing so allowing individuals the opportunity to correct, amend or delete Personal Data where it is inaccurate, or has been Processed in violation of the Principles. A request may be denied under certain circumstances, such as where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question, or where the rights of persons other than the individual would be violated. When Health Decisions is a processor and not a Controller, it will take reasonable steps to help the appropriate Controller respond, and will act on the reasonable direction of its Controller customers with respect to access.
RECOURSE, ENFORCEMENT AND LIABILITY
To contact Health Decisions for Privacy Shield-related issues, please use one of the contact methods below:
Complete the contact form at https://www.healthdec.com/privacyshieldcontact/
Email Health Decisions at email@example.com
Call Health Decisions at +1 919-967-1111
- For complaints that cannot be resolved, Health Decisions commits to cooperate with the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, and comply with the advice given by the panel or Commissioner about Personal Data transferred from the EU or Switzerland. In order to facilitate the handling of complaints, individuals in the EU can choose to contact their national DPA or use the form located at this link: http://ec.europa.eu/newsroom/document.cfm?doc_id=42962. Individuals in Switzerland can contact the Swiss Information Commissioner by visiting https://www.edoeb.admin.ch/kontakt/index.html?lang=en
- This independent dispute resolution process is provided at no cost to the individual. Under certain conditions an individual may choose to invoke binding arbitration to resolve any residual complaints not resolved by Health Decisions or the DPAs or FDPIC, as appropriate. If an individual formally invokes binding arbitration, Health Decisions will follow the terms set forth in Annex 1 of the Privacy Shield Framework. For more information on binding arbitration visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
- In the context of an onward transfer, Health Decisions has responsibility for the Processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Health Decisions shall remain liable under the Principles if its Agent Processes such Personal Data in a manner inconsistent with the Principles, unless Health Decisions proves that it is not responsible for the event giving rise to the damage.
INFORMATION WE COLLECT
Health Decisions may also record information about how individuals access the Site. This information is typically not personally identifiable and may include internet protocol (IP) addresses (or the DNS name associated with it) of the individual’s device, the web sites the user visited immediately prior to and upon exiting this Site, and the browser software the individual is using to access the Site. This information is used in to administer our systems and the Site, and to make improvements to and protect the Site.
INFORMATION WE SHARE
YOUR CHOICES AND ACCESS
You may visit and browse our Site without providing any personal information, and you can always choose not to provide us with the personal information we request. However, choosing not to provide us with certain information that we request may prevent you from accessing or using certain portions of our Site.
If you would like to change any information you submitted to us, or if you want to opt-out of receiving future communications from us, please contact us.
Health Decisions takes reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved and the nature of the personal information.