Effective, May 01, 2023
On July 16, 2020 the Court of Justice of the European Union issued an opinion invalidating the U.S.-E.U. Privacy Shield (Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems or “Schrems II”). CSSi LifeSciences acknowledges that decision and has taken action to comply with the CJEU opinion and current guidance from the EU. However, CSSi LifeSciences also remains committed to the goals of the Privacy Shield program, and hopeful that a new agreement may be put in place between the U.S. and E.U.
1.1 The mission of CSSi LifeSciences, Inc., and its global affiliates (“CSSi LifeSciences”) is to accelerate the global development of safe and effective medical therapeutics. Pursuant to this mission, CSSi LifeSciences manages and conducts clinical trials on behalf of Sponsors. At all times CSSi LifeSciences is committed to conducting clinical trials in a manner that strictly adheres to all national and international ethical requirements and clinical trial regulations. Effective adherence to clinical trial regulations requires the gathering, recording, processing, storing, and transmitting of personal data of clinical trial participants, clinical trial investigators, vendors, support staff, and employees.
1.2 CSSi LifeSciences is committed to respecting the privacy of individuals of all nationalities in the processing of their personal data, recognizing the fundamental rights to lawfulness, fairness, and transparency. CSSi LifeSciences adheres to the principles of data privacy by design and by default, including data minimization to the extent possible. CSSi LifeSciences adheres to laws relating to data protection in all jurisdictions in which it conducts business, including but not limited to HIPAA, the General Data Protection Regulation (E.U.) 2016/679 (“GDPR”), the California Consumer Protection Act, and the United Kingdom Data Protection Act of 2018.
2. Personal Data of Clinical Trial Subjects
2.1 CSSi LifeSciences processes pseudonymized medical and health information about the individuals who take part in clinical trials. This information is collected by investigators and their staff at the study sites. CSSi LifeSciences may transmit this data from the jurisdiction in which it was collected to CSSi LifeSciences headquarters in the United States. When consent is required for the processing of personal data, the physician investigators overseeing the trial are responsible for ensuring that the individuals understand and consent to the gathering of sensitive personal data relating to their health, including the transfer of such pseudonymized information to third parties who may be providing services for the clinical trial.
2.2 Pursuant to Opinion 03/2019 of the European Data Protection Board, CSSi LifeSciences declares that the processing of personal data of E.U. citizens participating in a clinical trial is necessary for the performance of a task carried out in the public interest. Specifically, the processing of sensitive categories of data is carried out for reasons of public interest in public health, and/or for scientific purposes in accordance with Article 89(1) of the GDPR.
3. Personal Data of Business Partners
3.1 CSSi LifeSciences collects personal data from business partners and vendors who are providing services to a clinical trial. This processing is necessary for the fulfillment of CSSi LifeSciences’s contracts with these individuals and their employers and may be required for submission of clinical trial data to governmental and regulatory authorities, IRBs, and ethical committees. The basis for collection of physician investigator data is the fulfillment of a legal obligation related to ensuring that investigators are qualified to oversee a clinical trial. The basis for collecting site and investigator staff information is the fulfillment of a contract between CSSi LifeSciences (directly or on behalf of the Sponsor) and the site. When applicable, CSSi LifeSciences complies with all obligations to provide transparency notices about the processing or transfer of this personal data.
4. IT and Security Procedures
4.1 CSSi LifeSciences has in place physical, electronic, and organizational procedures to safeguard and secure personal data stored on its systems. CSSi LifeSciences deploys encryption, firewalls, access controls, and other procedures to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Access to CSSi LifeSciences facilities is controlled via a combination of technical and physical controls. CSSi LifeSciences maintains a disaster recovery plan and system back up plan if its systems are damaged or destroyed. All employees receive training on security and are required annually to review and understand global data protection standards applicable to CSSi LifeSciences.
4.2 Personal data of clinical trial subjects is never stored at CSSi LifeSciences.
4.3 CSSi LifeSciences may store some business records or clinical trial documents in hard copy (paper or disk) format, as required by law or regulation, or pursuant to the fulfilment of a legitimate business purpose. CSSi LifeSciences has in place a document retention policy, pursuant to which documents are retained for the minimum time necessary, and then securely destroyed. Long-term storage of hard copy documents may be carried out by a qualified third-party vendor.
5. Transfer of Personal Data
5.1 Transfer to Third Parties
5.2 Transfer to Third Countries
5.2.1 CSSi LifeSciences has self-certified its compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. This includes personal data collected on our website, personal data that may be provided for clinical trials, personal data collected from employees, and personal data collected from investigators, their staff, and third-party vendors. CSSi LifeSciences adheres to the seven Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity, Access, and Recourse, Enforcement and Liability as they relate to personal data. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
5.2.2 Personal data may be transferred to a third country outside of the E.E.A. Transfers to third countries not deemed adequate by the E.U. are made according to the principles of appropriate safeguards as outlined in Article 46 of the GDPR.
6. Rights to Access and Choice
6.3 Clinical trial participants should contact the study site at which they participated in the clinical trial, or the Principal Investigator of the study, to enquire about their rights under applicable data privacy laws. The rights available to a clinical trial participant may be limited pursuant to an exception to the applicable data privacy law to preserve the integrity or scientific value of the data collected.
7. Rights to Enforcement and Recourse
7.1 In compliance with the Privacy Shield Principles, CSSi LifeSciences commits to resolve complaints about our collection or use of personal information. E.E.A. and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should contact CSSi LifeSciences’s IT Director at info@CSSi LifeSciences.com or at Maryland Innovation Center, 6751 Columbia Gateway Drive, Suite 300, Columbia, MD 21046 United States of America, Attn: IT Director.
CSSi LifeSciences agrees to respond to the complaint within 30 days of its receipt. For any complaints that cannot be resolved with CSSi LifeSciences directly, CSSi LifeSciences agrees to cooperate with the panel established by the E.U. Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner. As a last resort, if the complaint is not resolved, the Privacy Shield framework provides for binding arbitration before a Privacy Shield Panel made up of three neutral arbitrators. E.U. and Swiss citizens who pursue resolution of a data protection dispute under the Privacy Shield mechanism will not be charged by CSSi LifeSciences. However, each party will bear its own costs of pursuing binding arbitration.
7.2 CSSi LifeSciences adheres to the applicable provisions of the California Consumer Protection Act. Residents of California may have a private right of action in the event of a data breach. Pursuant to California law, affected individuals must first notify CSSi LifeSciences of the alleged violation and provide CSSi LifeSciences 60 days to cure the violation.
8. How to Contact CSSi LifeSciences
8.1 For more information about CSSi LifeSciences commitment to protecting data privacy, or to exercise any rights you may have under applicable data privacy laws, please contact CSSi LifeSciences, by telephone at (866) 277-4888, or by mail at Maryland Innovation Center, 6751 Columbia Gateway Drive, Suite 300, Columbia, MD 21046 United States of America, Attn: IT Director.