Synchrogenix Information Strategies, LLC (“Synchrogenix” or “the Company”) cares about the privacy of its clients and business associates. The purpose of this policy is to provide its clients and business associates with information about what personal data the Company collects, why we collect it, how we use and handle it (including whether we transfer it to third parties), individuals’ rights to access any personal data collected from them and their choice/consent related to limitations on how it is shared; a point of contact in the organization where complaints about Synchrogenix’s handling of personal data can be directed; and information about how the Company is held accountable for safeguarding any personal data, should it be stored or transferred by Synchrogenix.
I. Types of Personal Data Collected
Synchrogenix receives data that reflects personal information for individuals who participate in clinical trials. While the data is not clearly identifiable, Synchrogenix has access to data collected at the individual level.
A. Source Materials Received from Clients Regarding Clinical Trials
Source materials may contain the following types of information from individuals:
The type of data listed below could be from a Patient/Subject, Vendor Employee, Sponsor Employee (Non-signatory or Signatory), Investigator/Principal Investigator, or Committee Member:
• name (hand written or typed);
• initials (hand written or typed);
• signature day, month, and year;
• ID codes (Patient/Subject; Personnel; Randomization/Treatment; Site/Center; Case; Investigator; Company, Manufacturer Control Numbers, Product Lot Numbers, and Government);
• email address;
• phone number and fax number with country code;
• address (street, suite/apartment number, city, state, zip code, and country);
• study roles;
• non-academic titles, academic qualifications, and academic titles;
• organizational titles and organizational departments;
• company name;
• date: day, month, and year;
• birth date: day, month, and year;
• death date: day, month, and year;
• age; and
• sex/gender, ethnicity, race, height, weight, and BMI.
II. Data Integrity and Purpose Limitation (Uses for Personal Data)
Synchrogenix receives source documents from clients containing personal data to create documentation associated with drug development and lifecycle support activities, including submissions to regulatory bodies worldwide, as well as documents intended for public disclosure.
Access to files containing this personal data is limited to the employees or contractors who have a legitimate business need. Document access controls are detailed in Synchrogenix’s Standard Operating Procedures (SOPs).
III. Security, Choices and Access
In providing products/services that involve the transfer of personal data, Synchrogenix is acting as a data processor of client-controlled data. After verifying the identity of the person requesting access to his or her data, Synchrogenix will use its best efforts to facilitate connecting that individual with the client that controls his or her data. An EU individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their written request to Ariel.Gruswitz@synchrogenix.com.
In addition, to protect this data and mitigate risk of a data breach, Synchrogenix employs the following security measures:
• SOP on systems access that employees train on annually;
• Privacy policies on which employees train annually;
• Privacy officer and Incident Response Team that field complaints; and
• Business Continuity Plan that contains incident response plans for escalation and resolution of data breach incidents.
IV. Accountability for Onward Transfer
In providing products/services that involve the transfer of personal data, Synchrogenix is acting as a data processor of client-controlled data, and after providing services to the client using the personal information, the information is destroyed, archived, or returned to the client per applicable SOPs and client agreements, not transferred onto any third parties. Synchrogenix’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Synchrogenix remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Synchrogenix proves that it is not responsible for the event giving rise to the damage.
If Synchrogenix ever were to engage in any onward transfers of personal data with third parties for a purpose other than which it was originally collected or subsequently authorized, Synchrogenix would provide that EU individual with an opt-out choice to limit the use and disclosure of their personal data.
Third parties that are not Synchrogenix employees who could have access to the personal data described herein include individual contractors hired to write or edit documents or service providers. The integrity and security of the personal data transferred to these third parties are protected by requirements to train on Synchrogenix privacy and confidentiality policies and/or contractual terms.
In addition, Synchrogenix may be required to disclose personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
V. Recourse, Enforcement, and Liability
A. Point of Contact for Complaints or Questions
Individuals have the ability to contact Synchrogenix regarding any questions or concerns related to its collection or handling of their personal data.
Regulatory Counsel, Synchrogenix
B. Verification Procedures (Self-assessed or Third Party)
• Individuals are informed of any in-house arrangements or independent mechanisms for handling complaints (found herein).
• It has established procedures for training employees in its implementation, including consequences for failure to follow it.
Synchrogenix recognizes that it must respond promptly to Department of Commerce inquiries.
Synchrogenix commits to cooperate with the Data Protection Authorities (DPAs) by declaring in its Privacy Shield self-certification submission to the Department of Commerce that the organization:
i. elects to satisfy the requirement in points (a) (i) and (a) (iii) of the Privacy Shield Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs;
ii. will cooperate with the DPAs in the investigation and resolution of complaints brought under the Privacy Shield; and
iii. will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
C. Consequences of Non-compliance
In conjunction with its application for certification with the EU Privacy Shield, Synchrogenix uses Better Business Bureau (BBB) EU Privacy Shield as its Independent Recourse Mechanism (IRM), and by self-certifying with Privacy Shield, it is subject to US regulatory enforcement by the Federal Trade Commission and the Department of Commerce.
Ariel Gruswitz, Ariel.Gruswitz@synchrogenix.com, who will escalate it to the Incident Response Team (IRT), or directly to IncidentResponseManagement@synchrogenix.com.
Synchrogenix has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Under certain limited conditions, individuals may invoke binding arbitration before the Privacy Shield Panel to be created by the US Department of Commerce and the European Commission.
Last Reviewed and Approved: January 2017