Effective Date: January 31, 2019
Updated: September 1, 2023
Statistics & Data Corporation (SDC) is committed to respecting the privacy of individuals. To better protect your privacy, we provide this notice to explain our online information practices and the choices you have about the way your personal information is collected and used.
Information We Collect From You
We may collect the following personal information from you:
- Contact Information (such as name, job title, company, telephone number, email address, physical address)
- Career Information (such as name, education, positions held, application information)
- Clinical Data, if you participate in a clinical trial, as stated in the Informed Consent (such as your initials, birth year, gender, race, ethnicity, related health information)
- Other information you give to us
As is true of most websites, we gather certain information automatically. This information may include Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
We may also collect from you the email address of your contacts when you refer them to links on our job website. When you provide us with personal information about your contacts we will only use this information for the specific reason for which it is provided.
If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please contact us by using our contact information below.
In addition to the personal data we collect from you, we may receive information about you from other sources to supplement information provided by you to verify information that you have provided to us and to enhance our ability to provide you with information about our business, events, and services. Examples of third-party services we may use to supplement information provided by you include LinkedIn and other social media platforms, external websites, etc.
Why We Collect Personal Data
By “personal data” or “personal information” we mean information that identifies or is capable of identifying an individual, including our customers, volunteers, or patients in clinical studies (research subjects), employees, job candidates, vendors, and clinical investigators/staff with whom we work.
You may be asked to provide personal information when you use our website, volunteer for clinical studies, work with SDC, seek information regarding SDC services, or seek employment from SDC. In addition, if you become a volunteer, we will (with your consent) collect information regarding your health and medical history which we will retain and/or dispose of or transfer in accordance with both the relevant protocol for the clinical study for which it was gathered, your signed Informed Consent, and applicable law.
From time to time, we may request information from you via surveys. Participation in these surveys is completely voluntary; therefore, you have the choice of whether or not to disclose such information. Information requested may include contact information (such as name, correspondence address, and telephone number), and demographic information (such as zip or postal code or age).
How We Use This Information
SDC may use your personal data for reasons such as:
- processing newsletter requests and job applications, and providing company information;
- marketing communications and profiling to help us offer you relevant services;
- to correct technical problems and malfunctions and to technically process your information;
- to operate, maintain, administer, and protect the security and integrity of our Web site;
- to protect our rights and property and the rights and property of others;
- to take precautions against liability;
- to the extent required by law or to respond to judicial process;
- to the extent permitted under other provisions of law, to provide information to law enforcement agencies, or for an investigation on a matter related to public safety, as applicable;
- to respond to your requests, questions and feedback; and
- for other reasons with your consent.
Every effort is made to ensure that the information is accurate and up-to-date and all communications with individuals provide easy means of validating, correcting errors, and updating information.
If you request information from us, register on our website, or participate in our surveys, promotions or events, we may send you marketing communications as permitted by law. You will have the ability to opt out of such communications.
Release, Sharing, or Transference of Data
The information you provide to us will be available to SDC, its subsidiaries, and companies working as agents of SDC. Access to data and equipment is restricted to appropriate staff (including contractors/consultants).
SDC does not share your information with outside third parties without your explicit consent, except where provided in this privacy statement (e.g., Merger).
SDC may employ third-party companies and individuals to administer and provide services on our behalf (such as training, customer support, hosting, email delivery, and database management services). These third parties may use your information only as directed by SDC and in a manner consistent with this privacy statement and are prohibited from using or disclosing your information for any other purpose. SDC may also disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to SDC.
Companies working as agents of SDC or clinical trial sponsors (such as pharmaceutical companies) are required to sign confidentiality agreements or provide assurance agreeing to handle all confidential information containing personal data in accordance with applicable law.
Information We Collect and Process For Our Customers
In providing services, SDC’s customer’s and authorized users (for example, customer employees or service providers, clinical trial sites and investigators, and trial subjects) may provide information to SDC from or about their authorized users, employees, and trial subjects (collectively, “Customer Controlled Data”). In such circumstances, SDC has no direct relationship with the individuals whose personal data it processes, and is processing data (acting as “Data Processor”) on behalf of its customer (the “Data Controller”). If you seek access or seek to correct, amend, or delete inaccurate data you should directly contact SDC’s customer (e.g. the clinical trial sponsor) or the clinical trial site. Our customers have their own policies regarding the collection, use, and disclosure of your personal information. Our use of Customer Controlled Data is subject to the written agreement between SDC and our customer. SDC’s responsibility under that agreement is the obligation to keep Customer Controlled Data safe and secure. To learn about how a particular customer handles your personal information or to exercise any rights you may have regarding your personal information, we encourage you to read that customer’s privacy statement or contact that customer.
As a Data Processor, SDC does not own or control how and for what purpose Customer Controlled Data is used.
EU-U.S. Data Privacy
SDC is responsible for the processing of personal data it receives, under the Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. SDC complies with the EU-U.S. DPF Principles with regard to transfers of personal data from the European Union and, as applicable, the United Kingdom, and/or with the Swiss-U.S. DPF Principles with regard to transfer of personal data from Switzerland. With respect to personal data received or transferred pursuant to the Data Privacy Framework, SDC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, SDC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the EU DPAs (free of charge) for more information or to file a complaint.
European Union Personal Data
Individuals in the European Union have additional rights under the General Data Protection Regulation (GDPR). The regulations are available online through the Official Journal of the European Union at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN/. An unofficial indexed copy is available at https://gdpr-info.eu/. SDC has provided these links for your convenience. SDC is not affiliated with these organizations or publications, and we are not responsible for the content therein.
If your personal data is governed by the GDPR, you have the right to:
- Obtain confirmation as to whether or not your personal data are being processed by SDC, the purposes of the processing, the categories of personal data concerned, and other rights of access expressed in Article 15 of GDPR “Right of Access by the Data Subject”
- Rectify inaccurate personal data, including the right to have incomplete personal data completed per Article 16 of GDPR “Right to Rectification”
- Have your personal data erased, pursuant to the specifications and exemptions in Article 17 of GDPR “Right to Erasure (Right to be Forgotten)”
- Restrict our processing of your personal data pursuant to Article 18 of GDPR “Right to Restriction of Processing”
- Receive your personal data, which you have provided to SDC, in a structured, commonly used, and machine-readable format in accordance with Article 20 of GDPR “Right to Data Portability”
- Object at any time to the processing of your personal data for direct marketing purposes pursuant to Article 21 of GDPR “Right to Object”
- Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you as defined in Article 22 of GDPR “Automated Individual Decision-making, including Profiling”
For requests regarding the above rights, such as if you would like to access, review, amend, or erase the information we have collected from you as a Data Controller, or if you would like to invoke your rights under GDPR not otherwise stated above, please contact SDC using the information provided below.
As part of SDC’s services, our customers and partners may enter Customer Controlled Data (see “Information We Collect and Process For Our Customers”) into the clinical study EDC system and/or our servers. SDC processes the data but does not own or control how or for what purpose Customer Controlled Data is processed; therefore, SDC is considered a Data Processor. For requests regarding Customer Controlled Data, please direct your request to the Data Controller (SDC’s customer, the clinical trial sponsor, or the clinical site).
Legal basis for processing
SDC only uses your personal information as permitted by law. SDC is required to inform you of the legal bases of our processing of your personal information, which are described in the list below:
- To provide the Services. Processing is necessary to perform the contract governing our provision of services or to take steps that you request prior to signing up for the services.
- To communicate with you; To create anonymous data for analytics; and For compliance, fraud prevention and safety. These processing activities constitute our legitimate interests. SDC makes sure it considers and balances any potential impact on you (both positive and negative) and your rights before it processes your personal information for its legitimate interests. SDC does not use your personal information for activities where SDC’s interests are overridden by the impact on you (unless SDC has your consent or is otherwise required or permitted to by law).
- To comply with law. Processing is necessary to comply with SDC’s legal obligations.
- With your consent. Processing is based on your consent. Where SDC relies on your consent you have the right to withdraw it anytime in the manner indicated in your consent or agreement with SDC or contact SDC as provided in “How To Contact Us” below.
If you have questions about the legal basis of how SDC processes your personal information, contact SDC as provided in “How To Contact Us” below.
SDC will only retain your personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, SDC considers the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which SDC processes your personal information, and whether SDC can achieve those purposes through other means, and the applicable legal requirements. By law, SDC has to keep basic information about its customers (including Contact, Identity, Financial, and Transaction Information) for seven years after they cease being customers for financial and tax purposes. In some circumstances, SDC may anonymize your personal information (so that it can no longer be associated with you) in which case SDC may use this information indefinitely without further notice to you.
Cross-Border Data Transfer
Whenever SDC transfers your personal information out of the European Economic Area to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on one of the following safeguards recognized by the European Commission as providing adequate protection for personal information, where required by EU data protection legislation:
- Contracts approved by the European Commission which impose data protection obligations on the parties to the transfer. For further details, see European Commission Model contracts for the transfer of personal information to third countries.
- For transfers to third parties in the United States, ensuring they participate in the EU-U.S. Data Privacy Framework.
Please contact SDC if you want further information on the specific mechanism used by SDC when transferring your personal information out of the European Economic Area.
Individuals in the EU also have the right to file a complaint with any of the following: SDC’s Data Privacy Officer (Christine Lindberg), SDC’s EU representative (DataRep), or your local data protection authority.
We have created this privacy statement to demonstrate our firm commitment to your privacy and the protection of your information.
Why did you receive a mailing from us?
Our e-mail marketing is permission-based. If you received a mailing from us, our records indicate that (a) you have expressly shared this address for the purpose of receiving information in the future (“opt-in”), or (b) you have registered or purchased or otherwise have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings.
If you believe you have received unwanted, unsolicited e-mail sent via this system or purporting to be sent via this system, please forward a copy of that e-mail with your comments to firstname.lastname@example.org for review.
How can you stop receiving e-mail from us?
Each marketing e-mail sent contains an unsubscribe link. This is an automated way for you to cease receiving e-mail from us.
When we send you marketing e-mails, we may include tracking links to allow us to determine the number of people who open our e-mails. When you click on a link in an e-mail, we may record this individual response to allow us to customize our offerings to you. E-mail tracking collects only limited information, time and date of a page being viewed, and a description of the page on which the tracking link resides (the URL).
SDC maintains a high level of security, particularly in relation to data. Computer equipment, networks, programs, data, and documentation are maintained to a high standard, and access to data and equipment is restricted to appropriate staff.
The handling of medical information obtained in clinical research is governed by national and international data protection regulations and medical confidentiality. Any medical information collected will be maintained under these regulations.
We may retain your information for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements.
Privacy Statement Changes
SDC reserves the right to modify or amend this privacy statement. For instance, this privacy statement may need to change as new legislation is introduced or as it is amended. Changes to SDC’s privacy statement will be posted on this Web site. If we make any material changes we will notify you by means of a notice on this website prior to the change becoming effective. We recommend that you review this statement from time to time. Your continued use of SDC’s website and services after the posting of any modified privacy statement indicates your acceptance of the terms of the modified privacy statement.
If we should ever file for bankruptcy or be acquired by a third party, merge with a third party, sell all or part of our assets, or otherwise transfer substantially all of our relevant assets to a third party, we are entitled to share the personal information and all other information you have provided to us through to potential and subsequent business and merger partners.
How To Contact Us
All communications, questions, or concerns about these privacy policies should be addressed to SDC’s Data Privacy Lead, Christine Lindberg, via email at DataPrivacy@sdcclinical.com or in writing to SDC Data Privacy, Attn: Christine Lindberg, 63 South Rockford Drive, Suite 240, Tempe, AZ 85288.
Individuals in the EU also have the right to raise a question or otherwise exercise their rights in respect of their personal data by SDC’s EU representative, DataRep.