THE GENERAL DATA PROTECTION REGULATION (GDPR) AT CROWN CRO
For Crown CRO data protection and privacy are critical to our business and the top priority for our organization. Our commitment to handling data respecting privacy is core to our customer promise.
This privacy statement explains how Crown CRO (hereafter “Crown CRO”, “we”, “us”) processes which personal data of you for which purposes. In any event, collection and processing of personal data will only take place conformable to the applicable law (i.e. the General Data Protection Regulation, “GDPR”).
1 DATA CONTROLLER – DATA PROSESSOR
Crown CRO acts as data controller for personal data related to employees and customers, both current and potential. Controller means that the company decides the means, terms, and/or conditions of the collection of data.
Crown CRO acts as data processor on behalf of our customers when contracted to do so, for the specific data.
2 CONTACT PERSON FOR MATTER CONCERNING DATA
3 INFORMATION CONTENT OF PERSONAL DATA
The personal data that can be stored includes the following:
- Identification data: Name, personal identity code, customer identification number
- Contact information: address, telephone number, e-mail address and other relevant contact details
- Employment related information
- Recruitment related information
- Other content voluntarily provided by the data subject: e.g. inquiries, interests and other similar information, information on customer feedback/satisfaction, necessary information related to the use of identification and verification tools and services, information related to the processing of data, such as the date of recording the data and the source of the data.
4 THE PURPOSE AND BASIS FOR PROCESSING PERSONAL DATA
The primary basis for processing personal data is:
- data subject has given consent to the processing of his or her personal data for one or more specific purposes
- lawful basis e.g. related to employment
- a customer relationship and assignment given by the customer. Crown CRO acts as data processor for customer (who is data controller).
Personal data can be processed for the following purposes:
- Management, implementation, development and monitoring of the customer relationship, customer service and the related communication and marketing.
- Analysis, grouping and reporting of customer relationships and other purposes related to the development of the overall customer account and Crown CRO’s business.
- Collecting and handling customer feedback and customer satisfaction information and inquiries.
- Collecting and handling job applications.
- Collecting and handling pseudonymized and/or anonymized data for subjects participating in clinical trials
- Collecting and handling pseudonymized and/or anonymized data for subjects in relation to the pharmacovigilance
5 LOG DATA AND COOKIES
The legal basis is Article 6 (1) f) GDPR.
6 DATA TRANSFER TO THIRD PARTIES
We may share personal information with third parties. To facilitate the purposes of clinical research, personal data may be shared in the normal course and scope of business with third parties to whom Crown CRO has chosen to outsource work. In the event that personal data is transferred to a third party, Crown CRO requires in its agreements with third parties that adequate privacy precautions are taken that provide the same level of privacy protection as is required by the Privacy Statement.
Reporting obligations to regulatory authorities and enforcement of rights
As a CRO in the pharmaceutical industry, we are subject to specific legislation. Some of these laws require us to send your reports to authorities worldwide (including countries that may have a different level of data protection than the EU). In order to protect our rights or the rights of third parties, we may also disclose data to rights holders, consultants and authorities in accordance with legal provisions.
We engage our service providers to process your personal data for the purposes described in this data protection information. These service providers process the data only on our behalf, in accordance with our instructions and under our control in accordance with this data privacy declaration. One of these service providers is Etevät Oy providing our ICT services.
Crown CRO affiliates
As a global group of companies, we involve all Crown CRO companies in data processing. The group companies process the data exclusively for the purposes stated in this data protection declaration. We use the personal information that you voluntarily provide to us by e.g. applying a position or responding to a questionnaire asking for interest to participate in a clinical trial. Personal data may be shared with Crown CRO companies for us to be able to process your application. The personal data that is processed is name, phone number, e-mail address, address, birth data as well as information that together or on its own constitutes as personal information. We process your personal information only to administer recruitment matters as well as for marketing of our offers to you as a candidate. Personal information is stored up to two (2) years after a completed recruitment process as to be accessible at later recruitment processes where you might be of interest as a candidate.
Data transfer to recipients outside the EU
Service providers and/or our customer may transfer and process your personal data outside the EU. In case where we act as data controller, we ensure an adequate level of data protection to comply with European law (usually through EU standard contractual clauses published by the European Commission).
7 CLINICAL TRIAL SUBJECTS
Crown CRO processes demographic data, health-related information and information collected by questionnaires, e.g. quality of life or experience of symptoms/treatment satisfaction about the persons that take part in clinical trials. The physician investigators are responsible for ensuring that persons understand and consent to the gathering of sensitive personal data related to health and lifestyle, and the transfer of such information (in pseudonymized or anonymized way) to third parties. This so called informed consent agreement states that data may be transferred to other countries and to other parties.
Crown CRO collects personal data about physicians and all persons in the hospitals and clinics that take part in conduct of a clinical study. This allows Crown CRO to quickly identify and contact anyone for participation in clinical studies.
9 ICT AND SECURITY
Crown CRO maintains a high level of information technology and organizational security, particularly in relation to all of the personal data we collect. Crown CRO has in place physical, electronic and managerial procedures to safeguard and secure the information we collect. Pseudonymized data from clinical trials is stored in a special web-based proprietary to which only authorized personnel can access on a need to know basis. Access to other personal data is restricted to those authorized employees on a need to know basis depending what type of work they are performing for Crown CRO. All employees receive training. Crown CRO deploys encryption, firewalls, access controls, and other procedures to protect data from loss, misuse, unauthorized access, disclosure, alteration and destruction. Crown CRO may at times be required to disclose personal information in response to lawful requests by legal or regulatory authorities.
10 THE DATA SUBJECT’S RIGHT TO ACCESS THE DATA
The data subject is entitled to see all data that has been collected recorded in Crown CRO’s data file. The request shall be made in writing. As a rule, the right to get to see your own data is free of charge.
The data subject’s right to demand the rectification or erasure of data or the restriction of its use
The data subject can make a request to rectify their data. The data subject also has the right to demand the data controller to restrict the processing of the data subject’s personal data, for instance, in a situation where the data subject is waiting for Crown CRO’s response to a request to rectify or erase their data.
The data subject’s right to transfer the data from one system to another
To the extent that the data subject has provided data to the customer data file to be processed based on the data subject’s consent or assignment, the data subject has the right to obtain such data for their personal use, primarily in machine-readable format, as well as to transfer the data to another data controller.
The data subject’s right to lodge a complaint to the supervising authority
The data subject is entitled to lodge a complaint to the competent supervising authority if the data controller has not observed the applicable privacy regulations in its actions.
If personal data is processed based on the consent of the subject, the subject has the right to withdraw their consent by notifying Crown CRO.
If you have any questions about our use of personal data, this data protection declaration or would like to exercise your rights, you can contact us at any time or you can contact our data protection officer directly: email@example.com.
Crown CRO OÜ, Turu 2, B-502, 51014 Tartu, Estonia
Crown CRO Oy, 7 Peldu Street, Jelgava, LV3002, Latvia
Crown CRO UAB, R. Kalantos str. 161, 52315, Kaunas, Lithuania
Crown CRO Oy, Bogstadveien 27, 0355, Oslo, Norway
Crown CRO Oy, Wallingatan 34, 11124, Stockholm, Sweden