Personal Data and Privacy
Personal Data and Privacy
Effective Date: January 31, 2019
Updated: September 14, 2021
Statistics & Data Corporation (SDC) is committed to respecting the privacy of individuals. To better protect your privacy, we provide this notice to explain our online information practices and the choices you have about the way your personal information is collected and used.
We may collect the following personal information from you:
As is true of most websites, we gather certain information automatically. This information may include Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
We may also collect from you the email address of your contacts when you refer them to links on our job website. When you provide us with personal information about your contacts we will only use this information for the specific reason for which it is provided.
If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please contact us by using our contact information below.
In addition to the personal data we collect from you, we may receive information about you from other sources to supplement information provided by you to verify information that you have provided to us and to enhance our ability to provide you with information about our business, events, and services. Examples of third-party services we may use to supplement information provided by you include LinkedIn and other social media platforms, external websites, etc.
Why We Collect Personal Data
By “personal data” or “personal information” we mean information that identifies or is capable of identifying an individual, including our customers, volunteers, or patients in clinical studies (research subjects), employees, job candidates, vendors, and clinical investigators/staff with whom we work.
You may be asked to provide personal information when you use our website, volunteer for clinical studies, work with SDC, seek information regarding SDC services, or seek employment from SDC. In addition, if you become a volunteer, we will (with your consent) collect information regarding your health and medical history which we will retain and/or dispose of or transfer in accordance with both the relevant protocol for the clinical study for which it was gathered, your signed Informed Consent, and applicable law.
From time to time, we may request information from you via surveys. Participation in these surveys is completely voluntary; therefore, you have the choice of whether or not to disclose such information. Information requested may include contact information (such as name, correspondence address, and telephone number), and demographic information (such as zip or postal code or age).
How We Use This Information
SDC may use your personal data for reasons such as:
Every effort is made to ensure that the information is accurate and up-to-date and all communications with individuals provide easy means of validating, correcting errors, and updating information.
If you request information from us, register on our website, or participate in our surveys, promotions or events, we may send you marketing communications as permitted by law. You will have the ability to opt out of such communications.
The information you provide to us will be available to SDC, its subsidiaries, and companies working as agents of SDC. Access to data and equipment is restricted to appropriate staff (including contractors/consultants).
SDC does not share your information with outside third parties without your explicit consent, except where provided in this privacy statement (e.g., Merger).
SDC may employ third-party companies and individuals to administer and provide services on our behalf (such as training, customer support, hosting, email delivery, and database management services). These third parties may use your information only as directed by SDC and in a manner consistent with this privacy statement and are prohibited from using or disclosing your information for any other purpose. SDC may also disclose your personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services that they render to SDC.
Companies working as agents of SDC or clinical trial sponsors (such as pharmaceutical companies) are required to sign confidentiality agreements or provide assurance agreeing to handle all confidential information containing personal data in accordance with applicable law.
In providing services, SDC’s customer’s and authorized users (for example, customer employees or service providers, clinical trial sites and investigators, and trial subjects) may provide information to SDC from or about their authorized users, employees, and trial subjects (collectively, “Customer Controlled Data”). In such circumstances, SDC has no direct relationship with the individuals whose personal data it processes, and is processing data (acting as “Data Processor”) on behalf of its customer (the “Data Controller”). If you seek access or seek to correct, amend, or delete inaccurate data you should directly contact SDC’s customer (e.g. the clinical trial sponsor) or the clinical trial site. Our customers have their own policies regarding the collection, use, and disclosure of your personal information. Our use of Customer Controlled Data is subject to the written agreement between SDC and our customer. SDC’s responsibility under that agreement is the obligation to keep Customer Controlled Data safe and secure. To learn about how a particular customer handles your personal information or to exercise any rights you may have regarding your personal information, we encourage you to read that customer’s privacy statement or contact that customer.
As a Data Processor, SDC does not own or control how and for what purpose Customer Controlled Data is used.
EU-U.S. Privacy Shield
SDC participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. SDC is committed to subjecting all personal data regarding individuals residing in European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
SDC is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. SDC complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, SDC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, SDC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the EU DPAs (free of charge) for more information or to file a complaint. Under certain conditions, more fully described on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
European Union Personal Data
Individuals in the European Union have additional rights under the General Data Protection Regulation (GDPR). The regulations are available online through the Official Journal of the European Union at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN/. An unofficial indexed copy is available at https://gdpr-info.eu/. SDC has provided these links for your convenience. SDC is not affiliated with these organizations or publications, and we are not responsible for the content therein.
If your personal data is governed by the GDPR, you have the right to:
For requests regarding the above rights, such as if you would like to access, review, amend, or erase the information we have collected from you as a Data Controller, or if you would like to invoke your rights under GDPR not otherwise stated above, please contact SDC using the information provided below.
As part of SDC’s services, our customers and partners may enter Customer Controlled Data (see “Information We Collect and Process For Our Customers”) into the clinical study EDC system and/or our servers. SDC processes the data but does not own or control how or for what purpose Customer Controlled Data is processed; therefore, SDC is considered a Data Processor. For requests regarding Customer Controlled Data, please direct your request to the Data Controller (SDC’s customer, the clinical trial sponsor, or the clinical site).
Legal basis for processing
SDC only uses your personal information as permitted by law. SDC is required to inform you of the legal bases of our processing of your personal information, which are described in the list below:
If you have questions about the legal basis of how SDC processes your personal information, contact SDC as provided in “How To Contact Us” below.
SDC will only retain your personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, SDC considers the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which SDC processes your personal information, and whether SDC can achieve those purposes through other means, and the applicable legal requirements. By law, SDC has to keep basic information about its customers (including Contact, Identity, Financial, and Transaction Information) for seven years after they cease being customers for financial and tax purposes. In some circumstances, SDC may anonymize your personal information (so that it can no longer be associated with you) in which case SDC may use this information indefinitely without further notice to you.
Cross-Border Data Transfer
Whenever SDC transfers your personal information out of the European Economic Area to countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on one of the following safeguards recognized by the European Commission as providing adequate protection for personal information, where required by EU data protection legislation:
Please contact SDC if you want further information on the specific mechanism used by SDC when transferring your personal information out of the European Economic Area.
Individuals in the EU also have the right to file a complaint with any of the following: SDC’s Data Privacy Officer (Christine Lindberg), SDC’s EU representative (DPR Group), or your local data protection authority.
We have created this privacy statement to demonstrate our firm commitment to your privacy and the protection of your information.
Why did you receive a mailing from us?
Our e-mail marketing is permission-based. If you received a mailing from us, our records indicate that (a) you have expressly shared this address for the purpose of receiving information in the future (“opt-in”), or (b) you have registered or purchased or otherwise have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings.
If you believe you have received unwanted, unsolicited e-mail sent via this system or purporting to be sent via this system, please forward a copy of that e-mail with your comments to email@example.com for review.
How can you stop receiving e-mail from us?
Each marketing e-mail sent contains an unsubscribe link. This is an automated way for you to cease receiving e-mail from us.
When we send you marketing e-mails, we may include tracking links to allow us to determine the number of people who open our e-mails. When you click on a link in an e-mail, we may record this individual response to allow us to customize our offerings to you. E-mail tracking collects only limited information, time and date of a page being viewed, and a description of the page on which the tracking link resides (the URL).
SDC maintains a high level of security, particularly in relation to data. Computer equipment, networks, programs, data, and documentation are maintained to a high standard, and access to data and equipment is restricted to appropriate staff.
The handling of medical information obtained in clinical research is governed by national and international data protection regulations and medical confidentiality. Any medical information collected will be maintained under these regulations.
We may retain your information for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements.
SDC reserves the right to modify or amend this privacy statement. For instance, this privacy statement may need to change as new legislation is introduced or as it is amended. Changes to SDC’s privacy statement will be posted on this Web site. If we make any material changes we will notify you by means of a notice on this website prior to the change becoming effective. We recommend that you review this statement from time to time. Your continued use of SDC’s website and services after the posting of any modified privacy statement indicates your acceptance of the terms of the modified privacy statement.
If we should ever file for bankruptcy or be acquired by a third party, merge with a third party, sell all or part of our assets, or otherwise transfer substantially all of our relevant assets to a third party, we are entitled to share the personal information and all other information you have provided to us through to potential and subsequent business and merger partners.
How To Contact Us
All communications, questions, or concerns about these privacy policies should be addressed to SDC’s Data Privacy Lead, Christine Lindberg, via email at DataPrivacy@sdcclinical.com or in writing to SDC Data Privacy, Attn: Christine Lindberg, 63 South Rockford Drive, Suite 240, Tempe, AZ 85281.
Individuals in the EU also have the right to raise a question or otherwise exercise their rights in respect of their personal data by SDC’s EU representative, DPR Group.