EU-US & Swiss-US Privacy Shield Policy
The essential base of our work is the collection and analysis of the most sensitive information about human beings, medical data. As a contract research organisation, we want to provide a confidential and safe environment where people, who participate in studies, as well as work with us to carry out our services and our own employees can be sure their personal information (“personal data”), in the case of study participants medical data, is being handled in full awareness of the data protection regulations and of the high importance of their safety. This data is helping each day to support clinical research, to find new, faster and more effective ways in the medical area.
That’s why we are providing a significant environment of trust, where also affiliates, vendors and business partners who are working with us implement safe data protection practices according to the applicable laws. We, as a part of a global group of companies, and our entities are operating in a responsible way with due care to individual privacy, complying with all applicable laws on data privacy and confidentiality. Our following data protection policy describes the categories of personal data we process within our group of companies, how that information is used and disclosed, and our commitment to the human beings whose information we handle. It also explains how we comply with data privacy laws and regulations, implementing the European General Data Protection Regulation (“GDPR”) for Personal Data processed from data subjects from EU/EEA. This includes providing you with choices regarding use, access and correction of your personal data.
EU-US Privacy Shield and Swiss-U.S. Privacy Shield
Navitas Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Navitas Inc. is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. Additionally, Navitas Inc. complies with Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from Switzerland to the United States. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. [https://www.privacyshield.gov/list]
Navitas Inc. is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Navitas Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Navitas Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Navitas may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Categories of Personal Data and Purposes
Medical Data of Study Subjects
As a global contract research organization, we collect, host and analyse substantial quantities of medical data of study subjects upon request of and as a contractual obligation set by our clients. All study subjects are informed prior to their participation and sharing of any information about the categories of data (s.a. master data (weight/height/gender) and special categories of data (health data) required for study purposes (analysation and evaluation of development) as well as about the process of personal data handling. The consent of the study subjects constitutes the legal basis for personal data processing in accordance with Article (“Art.”) 6 section (“sec.”) 1 sentence (“sen.”) 1 litera (“lit.”) a, Art. 7 GDPR as well as our contractual obligations towards our clients (Art. 6 sec.1 sen. 1 lit. b GDPR). To assure privacy and data protection, consistent with legal requirements of the Good Clinical Practices (“GCP”) and GDPR, as applicable, study subject names and other direct identifiers are not attached to records or samples collected by NLS for study purposes. The collected data is pseudonymised, that means the necessary health data is separated from names and addresses and can only be identified by a key code. Only investigators (study doctors) and authorized personnel, including the client, NLS monitors and NLS monitoring subcontractors, and auditors/inspectors may access named subject records at source. The necessary key code is only kept by the investigator and authorized health care personnel at the study sites. The direct identification of the collected data via the key code can just be requested under special study procedure to the benefit of the patient safety.
In terms established by the data protection laws, when processing the subject information on behalf of the clients, NLS and its affiliates are “processors”, whereas the client is the “controller” being completely in control of how and why personal data, in particular health data, are processed within NLS services. In the rare case of NLS being a sponsor of a clinical trial, the position of the company as a ‘controller’ is clearly defined and disclosed with the specific responsibilities as well as with the same attention and awareness of correct and compliant data handling. In both of these positions NLS maintains a record of processing activities of personal data and commits to a continuous improvement of a compliant data protection management system.
Additionally, we may receive personal data, including medical data, about you from other sources, including investigators and laboratories on behalf of the clinical trial sponsor, and combine this personal data with information we already have about you. This helps us to update, expand and analyze the development of the clinical trial. If others give us your information, we will only use that information for the specific reason for which it was provided to us.
Data of Health Care Personnel
To fulfill our contractual obligations, we collect personal data of investigators and health care personnel (such as names, contact details, professional profiles) involved in the studies managed by us. Art. 6 sec. 1, sen. 1b GDPR forms the legal base for this processing. Additionally, we collect and analyse the professional profiles of study sites, doctors and other health care providers for the purposes of identifying potential study sites, investigators and providers for possible future cooperation. This processing is based on the consent of such individuals, institutions and companies. We will use available contact information, including email addresses, for the purpose of inviting potential study sites, investigators and providers to participate in the studies managed by us. We will source professional information from our own databases and also indirectly from additional, including public sources (clients, global data plc., clinicaltrials.gov). For operational purposes, we collect information related to the involvement and performance of study sites, providers and investigators, as well as process their financial information to support payment for services. The processing of personal data is based on the consent of such individuals, on our contractual obligations and our legitimate interests as described in this section (for EU/EEA Art. 6 sec. 1 sen. 1 lit. a, b and f GDPR).
Employee and Human Resource Data
NLS collects and uses personal data from candidates applying for an employment with us directly or for example by head-hunters, including every necessary data, which is written down on their CV, such as private contact details and professional qualifications to build employment decisions. Once employed, NLS collects information on staff for human resources, performance, payroll and tax purposes in context of the employment. NLS will collect and record employee level information in electronical systems which can only be accessed by authorized personnel, consistent with standard business operations and standard operation procedures. The processing is necessary for the performance of the employment contract, in order to take steps at the request of the candidate prior to entering into such a contract or to fulfil the legal obligations as an employer, as applicable (for EU/EEA Art. 6 sec. 1 sen. 1 lit. b and c GDPR).
Furthermore, Navitas Inc. is committed to cooperate the European Union data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDIC) and comply with the advice that may be given by such authorities with regard to human resources data transferred from the European Union and Switzerland in the context of the employment relationship.
In the event of conducting its business, NLS may also collect, from you, the following personal data about your contacts: (i) Emergency contact (name/relationship/contact details), in case of health or other emergency and (ii) names and contact details of previous colleagues or references, for reference checks. When you provide us with personal data about your contacts, we will only use this information for the specific reason for which it is provided. If you believe that one of your contacts has provided us with your personal data and you would like to request that it be removed from our database, please contact us as listed in the “Questions, Complaints and Requests to Exercise Rights” section of this policy.
In the event of conducting our business, NLS will interact with employees, consultants, contractors and other third parties employed or engaged by us or our clients involved in our businesses. NLS will record and use the names, contact details and professional information of these individuals for legitimate business-related purposes, including project and financial administration. Professional CVs of employees might be used especially for verification of our services and marketing towards existing and potential clients (for EU/EEA Art. 6 sec 1 sen. 1 lit. f GDPR forms the base for this processing).
Website Visitors Data
Although most areas of our website can be accessed without submitting any information that personally identifies individuals, our Resources Section and our Get in Touch section requires the disclosure of certain personal data to make communication possible: name, last name, business email, company, job title, preferred interests, country and an individual message. This processing is legitimized by your consent (see Art. 6 sec. 1 sen. 1 lit. a, Art 7. GDPR in case you are a citizen of EU/EEA). If you have submitted personal data to NLS and would like that information modified or deleted from our records, please contact us at firstname.lastname@example.org. We will use reasonable efforts to modify or delete the personal data from our existing files.
Sharing of Information: NLS does not rent, sell or share personal data about you with third parties or non-affiliated companies except to provide products or services you have requested, when we have your permission, Art. 6 sec. 1 sen. 1 lit. a and b, Art. 7GDPR, or under the following circumstances:
- We provide the information to trusted partners who work on behalf of or with NLS under confidentiality and data protection agreements. These companies do not have any independent right to share this information.
- We respond to subpoenas, court orders or legal process, or to establish or exercise our legal rights or defend ourselves against legal claims.
We transfer information about individuals, if NLS is acquired by or merged with another company. In this event, NLS will take care that the information is treated according to a standard which is at least at the same level as our recent standard of data protection.
Navitas’ website may contain links to other third-party websites. We recommend that any individual carefully review their privacy policies and practices before accessing these websites. Navitas is not responsible for the content of these websites or their privacy policies.
We would be pleased to send you information about products and services of ours and other companies in our group which may be of interest to you. Your consent forms the legal base for the processing of your contact data, Art. 6 sec. 1 sen. 1 lit. a, Art. 7 GDPR. Additionally, the representation and advertisement of our products and services forms a legitimate interest in sense of Art. 6 sec. 1 sen. 1 lit. f GDPR to process your contact data, unless you have withdrawn your consent. If you have consented to receive marketing/promotion related material/information, you always have the option to opt out by emailing at email@example.com..
Within the Navitas group we provide a subscription-based network service where its members are free to download, use, post, share, or upload content of any kind relevant to the network, it is called the Nets System (“netsnavigator”). The processing of personal data (name, business email, company, job title, country, preferred interests) for access is legitimized by the consent of the participant, Art. 6 sec. 1 sen. 1 lit. a, Art. 7 GDPR. The Nets System provides a forum for the exchange of ideas in a variety of settings. If Personal Data is collected within the Nets System, it is just done for business purposes, to increase compliance and to become more efficient, proactive, and flexible. Members need to sign a User-contract to participate within The Network which form the further legal base, Art. 6 sec. 1 sen. 1 lit. b GDPR.
- allow visitors a smooth connection setup to our website,
- allow site visitors to personalize their experience on our website,
- track a user session within our website (date and time, name and URL of retrieved data, referrer-URL, used browser),
- evaluation of system security and stability, and
- prevent duplication in voting or participation in surveys.
If you don’t wish to receive cookies you may be able to refuse them at the individual browser level and by not agreeing to the use of them upon entering the website. If you do so, we may be unable to offer you some of our functionalities, services or support. If you have previously visited our website, you may also have to delete any existing cookies from your browser. Additionally, to manage Flash cookies, please click here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
Through the use of cookie-based technologies, our company group may collect various data linked to virtual identities allocated to visitors when they access our websites as described above. This data is used for various purposes, including site analytics and first party marketing. In certain cases, these virtual identities are linked to the real-world identities of visitors when they provide their named information. This allows NLS to tailor marketing messages to those individuals, inclusive of information that is likely to be of interest to them. Our legitimate interests as described in this section form the legal base for this processing in accordance with Art. 6 sec. 1 sen. 1 lit. f GDPR.
Use of IP Address
We receive IP addresses in the normal course of the operation of our website. An IP address is a number assigned to you by your Internet service provider, so you can access the Internet. Although we do receive IP addresses, we do not use them to identify you personally or disclose them to others.
Disclosure and Transfer of Data
Internal and External Disclosures of Personal Data
Personal data will be shared within NLS, affiliates, companies working as processors of NLS, clients and third parties only on a data minimized base to meet stated legitimate business purposes (s.a. presenting options to carry out clinical trials/projects; administrate and coordinate the clinical trial/project in different countries; offer services and products to business partners) and to fulfil legal and contractual obligations (s.a. report current status of the clinical trial/project; get approval by local Ethic Committee ), Art. 6 sec.1 sen. 1 lit. b, c and f GDPR. Access to databases and folders containing personal data is restricted to appropriate and authorized individuals. Under some circumstances, NLS may be required by law enforcement or judicial authorities to disclose certain personal data as part of investigations or for litigation purposes, Art. 6 sec. 1 sen. 1 lit. c GDPR.
Companies working as vendors of NLS for or in EU/EEA will be required to sign data processing agreements, if applicable, whereby they will commit to only process personal data consistent with contracted purposes and apply appropriate organizational and technical security measures, Art. 28, 32 GDPR.
International Transfers of Personal data
We belong to a global group of companies and, as such, we process data in many countries. To conduct our business, and in accordance with this data protection policy, your personal data might be transferred to Navitas entities and third-party vendors of Navitas located worldwide. All transfers will occur in compliance with data transfer requirements of applicable laws and regulations. Companies working as vendors of NLS will be required to sign data processing agreements, if applicable, whereby they will commit to only process personal data consistent with contracted purposes and apply appropriate organizational and technical security measures. Where Personal Data originating from the European Economic Area is transferred to Navitas entities or to third-party vendors engaged by Navitas to process such Personal Data on our behalf who are located in countries that are not recognized by the European Commission as offering an adequate level of personal data protection, such transfers are covered by adequate appropriate safeguards, specifically standard data protection clauses adopted by the European Commission, Art 46 sec. 2 sen. 2 lit c, 93 sec. 2 GDPR. If applicable to you, you may obtain copies of such safeguards by contacting Navitas or our Data protection officer via email: DPONLS@navitaslifesciences.com.
In the process of continuing to develop its business, NLS may also occasionally acquire subsidiaries or other business entities. As a result of such transactions, and for maintaining a continued relationship with concerned individuals, NLS may transfer relevant personal data to a related affiliate. If our group of companies is involved in a reorganization, merger, acquisition or sale of our assets, relevant personal data may be transferred as part of that transaction, considering the applicable data protection measures.
NLS has a comprehensive information security policy that seeks to apply technical and organizational security measures that protect personal data, particularly sensitive clinical data, against unauthorized access or loss. Consistent with regulatory requirements, particularly GDPR, as applicable, NLS also maintains a detailed Security Breach Policy, which establishes a procedural response to dealing with any breach of personal data, including making any necessary notifications to individuals or supervisory authorities.
Technical and Organisational Measures
- Standard Operating Procedures (“SOP”) and SOP Training Information security measures are covered by SOPs which are only implemented after documented training. SOP trainings are provided for new SOPs, when changes are implemented, and for all new staff.
- Data Protection A data protection officer takes care of all potential issues concerning stored and processed data.
- Confidentiality AgreementEach employee is obliged to maintain confidentiality about the secrecy aspects of his/her work for NLS. Vendors (e.g. for an EDC system) and partner CROs are formally evaluated and need to sign a confidentiality agreement before being allowed to work for NLS. Confidential information is disclosed on a need to know basis.
- Roles and ResponsibilitiesRoles and responsibilities are assigned on a global level (job descriptions) and on a study level. Depending on the role/responsibility, access to data is provided.
- Prevention of Unauthorized Access to / Misuse of DataNLS has a complex system of physical and virtual safety and security measures to prevent un-authorized data access and misuse of data. This system has proved to be adequate during numerous sponsor system audits. All persons entering the NLS premises are welcomed at the reception. External visitors are accompanied by a coworker who takes care that they have no uncontrolled access to any confidential information or any location containing such.
Paper Case Record Forms (“CRFs”) and documents with Personal Data are kept in locked lockers, only accessible for authorised personnel. The document archive can only be accessed by authorized personnel as well.
Electronic data is stored on central servers. Server rooms are locked all times and access is restricted to authorized personnel. All NLS personnel are required to log on to the NLS computer network using a personal user ID and computer network access password. Interval for change of passwords and other relevant rules are defined.
Users are instructed how to use suitable passwords for any system accounts during the IT introduction. The passwords are checked for suitability by the system (minimum complexity). Study related information / data on the server can be only accessed by authorized users who are allowed to work with this study information. Internet access is restricted by the firewall configuration as a protection against external attacks – this allows a restricted traffic profile and blocks all other activity.
Documentation and monitoring of data misuse:
Each access to a file is scanned by an on-access scanner. This includes also access to websites. Advance threat protection system are notified immediately when a malware alert occurs and will take appropriate measures depending on the nature of the alert and associated risks which may include full system scans, temporary isolation of the affected system or even no immediate action in case of an obvious false positive.
In single cases, users are informed about the appearance of dangerous spam, in cases when these could be confused with a regular mail by the users (e.g. because the sender appears reliable but is actually a fake).
Data management systems used for the entry of data in clinical trials are equipped with an audit trail recording who did which changes to the data at a documented point of time. Systems have a separate (additional) administration of the user access and role.
- Separation of Data
Different studies are stored in different directories on the servers and/or in data centers.
- Data Transfer
Data transfers between NLS subsidiaries take place via secure channels (e.g. Secure Copy over SSH or Upload via SSL encrypted websites).
For data transfers to the client or to third parties, data files are transferred according to client’s requirements.
Data backups are done on a regular basis. There are daily backups as well as monthly full backups. Furthermore, additional full backups are taken and archived as necessary.
- Computer System Validation
Requirements and installation instructions related to security are documented within the software development and computer system validation process.
NLS conducts validation of its computer systems which are used to collect, analyze, report or store data from clinical trials. This covers installation qualification (IQ), operation qualification (OQ), performance qualification (PQ), all guided by a validation master plan. Procedures for change management (including software updates), security management, business contingency and periodic review of the validation status ensure that the risk for a threat of the system is minimized.
NLS has executed Standard Data Protection Contract Clauses (“SCC”) with affiliates for the purpose of transferring personal data from the European Economic Area to conduct the clinical trials and offer the services as a contract research organisation in Europe and globally. EU residents whose personal data is handled under these SCC may request a copy of the agreement from NLS (study subjects through their investigator (study doctor) when it concerns patient personal data and from NLS directly, when it concerns investigator, health care personnel, business partners or vendors personal data).
Data Protection Impact Assessment
Wherever a type of processing of personal data carried out by Navitas as a Controller is likely to result in a high risk to the rights and freedoms of natural persons a Data Protection Impact Assessment is carried out prior to the processing pursuant to Chapter IV of the GDPR, as applicable.
Personal data breach
Navitas takes every reasonable measure to prevent Personal Data breaches. When these do occur, we have a process in place to take swift action within our responsibilities. In the case of a personal data breach, Navitas (as a controller) will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, Navitas will communicate the personal data breach as well to the data subject without undue delay. In case Navitas is a processor it notifies the controller without undue delay after becoming aware of a personal data breach. These actions will be consistent with the role we have in relation to the products, services or processes affected by the breach. In all cases, we will work together with affected parties to minimize effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches. We systematically outline responsibilities in case of Personal Data breaches in our contracts, both with customers as well as with our vendors.
Retention of Personal data
Navitas will hold Personal Data on its systems for the longest of the following periods:
- As long as necessary to maintain the ongoing business relationship with the client or with the data subject, or as needed to provide the client or the data subject with the products, services or information which the client or the data subject are entitled to or can otherwise reasonably expect to receive from us;
- For as long as necessary for the purpose for which we collected it or for which the data subject supplied it to us in accordance with any product or service relevant activity or process;
- Any retention period that is necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements; or
- The end of the period in which litigation or investigations might arise in respect of our business relations or other interactions with the data subject.
For the sake of clarity where Navitas is a data controller processing Personal Data for its own purposes, Personal Data will be deleted, when it is no longer needed for its originally stated processing purposes, or any additional compatible purpose for which Navitas may lawfully further process such data and no legal requirements prevents Navitas from deletion.
Moreover, where Navitas is a data processor or sub-processor processing Personal Data for the purposes, and on the instructions of a data controller or data processor, we will comply with the time limits agreed with this controller or processor unless we are compelled by applicable laws and regulations to delete such data sooner, or to retain it further.
Information and Consent
In the event of data collection by NLS, NLS will provide information to human beings, where applicable, in a clear and understandable language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law, if these rights can be limited or excluded; and who to contact with any questions or complaints. This privacy information is tailored to specific situations of data collection and processing. In providing such information, NLS meets its obligations to be transparent and fair with human beings as is required by the GDPR. Information will be given by a link to a certain website, email or post, to make it easily available as well as to document the correct process of information providing.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, NLS will seek consent of human beings to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort, where intended processing of the data is in NLS’ or our clients’ legitimate interests and the privacy risks are low, NLS will proceed to process personal data absent of consent. Also, NLS will use and disclose personal data without consent where required by law and judicial order.
Informational and Data Protection Rights
In accordance with applicable data privacy laws, and where a contractual commitment requires, NLS ensures that individuals to whom GDPR applies, can exercise all relevant informational rights with respect to their personal data processed by NLS: You have the right
- to ask us if and what personal data we process concerning you including a copy of this information in accordance with Art 15 GDPR;
- to obtain the rectification, update or completion of inaccurate or incomplete personal data concerning you, Art. 16 GDPR;
- to obtain the deletion or request the erasure of Personal Data concerning you under certain circumstances, Art. 17 GDPR;
- to obtain a restriction of processing Personal Data concerning you in certain circumstances, Art. 18 GDPR;
- to withdraw any consent, you may have given for us to process Personal Data concerning you;
- to object to our processing of Personal Data concerning you on the basis of our, or of third-parties’ legitimate interests, Art. 21 GDPR;
- to receive the personal data concerning you, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance, Art. 20 GDPR.
In case you gave your consent for marketing purposes you have the right to withdraw your consent at any time by sending a request to firstname.lastname@example.org or click the unsubscribe button in the next email you get, Art 20 GDPR.
Study subjects must contact their investigator at their study site, who will be able to make the necessary link to subject identity.
Within the EU, citizens of the EU have the right to lodge a complaint about how their information is handled to a supervisory authority that is responsible for regulating compliance with the GDPR, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, Art. 77 GDPR.
A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.html.
Where the data subject’s exercise of any of the rights above is dependent on Navitas’ action, we will abide by our legal obligation to take reasonable measures to ascertain the data subject’s identity and the legitimacy of the data subject’s request and may ask the data subject to disclose to us any information necessary for that purpose. We will respond to legitimate request within a reasonable timeframe. In certain limited circumstances, we may need to extend our response period as permitted by applicable law. Where we have no direct relationship with the data subjects whose personal data we process, a data subject who seek to exercise of any of the rights above should direct their query to our client (the data controller) or in case of a study subject to the responsible investigator. Pursuant to any such requests, we may retain certain data necessary to prevent fraud or future abuse or as otherwise required or permitted by law, including to comply with legal obligations we are subject to, enforce our agreements, as well as to establish, exercise and defend our legal claims.
Questions, Complaints and Requests to Exercise Rights
Questions or requests to exercise informational rights, specific a request to access of data or complaints can be addressed to the attention of:
Or directly to our Data protection officer via e-mail to: DPONLS@Navitaslifesciences.com
Under the GDPR, Navitas Life Sciences GmbH as the lead EU affiliate for data protection purposes, shall be primarily responsible for data protection matters affecting our EU group of companies.
Changes to Our Policy
NLS will modify or amend this Policy, whenever their procedures regarding data processing will change or when it will be necessary to stay compliant with the data protection laws. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
Effective Date: 31 January 2019