Synchrogenix Privacy Policy

Synchrogenix Privacy Policy

Synchrogenix Information Strategies, LLC (“Synchrogenix” or “the Company”) cares about the privacy of its clients and business associates. The purpose of this policy is to provide its clients and business associates with information about what personal data the Company collects, why we collect it, how we use and handle it (including whether we transfer it to third parties), individuals’ rights to access any personal data collected from them and their choice/consent related to limitations on how it is shared; a point of contact in the organization where complaints about Synchrogenix’s handling of personal data can be directed; and information about how the Company is held accountable for safeguarding any personal data, should it be stored or transferred by Synchrogenix.

Synchrogenix is in the process of applying for Privacy Shield certification; see www.privacyshield.gov. As such, Synchrogenix agrees to adhere to the following Privacy Principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, which are addressed herein. Privacy Shield certification will invoke the authority of United States (U.S.) regulatory bodies, including the Department of Commerce and the Federal Trade Commission, over the Company’s handling of the personal data detailed in this privacy policy, should it be transferred out of the European Union (EU), including whether it will be transferred onward to third parties, and will provide for an Independent Recourse Mechanism to help resolve individuals’ complaints regarding its handling of personal information.

I. Types of Personal Data Collected

Synchrogenix receives data that reflects personal information for individuals who participate in clinical trials. While the data is not clearly identifiable, Synchrogenix has access to data collected at the individual level.

A. Source Materials Received from Clients Regarding Clinical Trials

Source materials may contain the following types of information from individuals:

The type of data listed below could be from a Patient/Subject, Vendor Employee, Sponsor Employee (Non-signatory or Signatory), Investigator/Principal Investigator, or Committee Member:

• name (hand written or typed);

• initials (hand written or typed);

• signature;

• signature day, month, and year;

• ID codes (Patient/Subject; Personnel; Randomization/Treatment; Site/Center; Case; Investigator; Company, Manufacturer Control Numbers, Product Lot Numbers, and Government);

• email address;

• phone number and fax number with country code;

• website;

• address (street, suite/apartment number, city, state, zip code, and country);

• study roles;

• non-academic titles, academic qualifications, and academic titles;

• organizational titles and organizational departments;

• occupation;

• company name;

• date: day, month, and year;

• birth date: day, month, and year;

• death date: day, month, and year;

• age; and

• sex/gender, ethnicity, race, height, weight, and BMI.

II. Data Integrity and Purpose Limitation (Uses for Personal Data)

Synchrogenix receives source documents from clients containing personal data to create documentation associated with drug development and lifecycle support activities, including submissions to regulatory bodies worldwide, as well as documents intended for public disclosure.

Access to files containing this personal data is limited to the employees or contractors who have a legitimate business need. Document access controls are detailed in Synchrogenix’s Standard Operating Procedures (SOPs).

III. Security, Choices and Access

In providing products/services that involve the transfer of personal data, Synchrogenix is acting as a data processor of client-controlled data. After verifying the identity of the person requesting access to his or her data, Synchrogenix will use its best efforts to facilitate connecting that individual with the client that controls his or her data. An EU individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their written request to Ariel.Gruswitz@synchrogenix.com.

In addition, to protect this data and mitigate risk of a data breach, Synchrogenix employs the following security measures:

• SOP on systems access that employees train on annually;

• Privacy policies on which employees train annually;

• Privacy officer and Incident Response Team that field complaints; and

• Business Continuity Plan that contains incident response plans for escalation and resolution of data breach incidents.

IV. Accountability for Onward Transfer

In providing products/services that involve the transfer of personal data, Synchrogenix is acting as a data processor of client-controlled data, and after providing services to the client using the personal information, the information is destroyed, archived, or returned to the client per applicable SOPs and client agreements, not transferred onto any third parties. Synchrogenix’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Synchrogenix remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Synchrogenix proves that it is not responsible for the event giving rise to the damage.

If Synchrogenix ever were to engage in any onward transfers of personal data with third parties for a purpose other than which it was originally collected or subsequently authorized, Synchrogenix would provide that EU individual with an opt-out choice to limit the use and disclosure of their personal data.

Third parties that are not Synchrogenix employees who could have access to the personal data described herein include individual contractors hired to write or edit documents or service providers. The integrity and security of the personal data transferred to these third parties are protected by requirements to train on Synchrogenix privacy and confidentiality policies and/or contractual terms.

In addition, Synchrogenix may be required to disclose personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

V. Recourse, Enforcement, and Liability

A. Point of Contact for Complaints or Questions

Individuals have the ability to contact Synchrogenix regarding any questions or concerns related to its collection or handling of their personal data.

Ariel Gruswitz

Regulatory Counsel, Synchrogenix

Ariel.Gruswitz@synchrogenix.com

302-892-4800

B. Verification Procedures (Self-assessed or Third Party)

Synchrogenix verifies that its privacy policy is accurate, comprehensive, prominently displayed, and completely implemented and accessible and conforms to the Privacy Shield Principles, as follows:

• Individuals are informed of any in-house arrangements or independent mechanisms for handling complaints (found herein).

• It has established procedures for training employees in its implementation, including consequences for failure to follow it.

• It has in place internal procedures for periodically conducting objective reviews of compliance with the above, including a statement verifying self-assessment, which requires an internal review of this privacy policy, that is signed by a corporate officer at least once a year.

Synchrogenix recognizes that it must respond promptly to Department of Commerce inquiries.

Synchrogenix commits to cooperate with the Data Protection Authorities (DPAs) by declaring in its Privacy Shield self-certification submission to the Department of Commerce that the organization:

i. elects to satisfy the requirement in points (a) (i) and (a) (iii) of the Privacy Shield Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs;

ii. will cooperate with the DPAs in the investigation and resolution of complaints brought under the Privacy Shield; and

iii. will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.

C. Consequences of Non-compliance

In conjunction with its application for certification with the EU Privacy Shield, Synchrogenix uses Better Business Bureau (BBB) EU Privacy Shield as its Independent Recourse Mechanism (IRM), and by self-certifying with Privacy Shield, it is subject to US regulatory enforcement by the Federal Trade Commission and the Department of Commerce.

Synchrogenix will comply with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from EU member countries. Synchrogenix has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification page, please visit https://www.privacyshield.gov/.

In compliance with the EU-US Privacy Shield Principles, Synchrogenix commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact Synchrogenix at

Ariel Gruswitz, Ariel.Gruswitz@synchrogenix.com, who will escalate it to the Incident Response Team (IRT), or directly to IncidentResponseManagement@synchrogenix.com.

Synchrogenix has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Under certain limited conditions, individuals may invoke binding arbitration before the Privacy Shield Panel to be created by the US Department of Commerce and the European Commission.

 

Synchrogenix Privacy Policy

Last Reviewed and Approved: January 2017