Clinical Research IO

User Privacy Policy

Effective 14-Sep-2023

Purpose

This Privacy Policy describes how CRIO addresses regulatory requirements related to Personally Identifiable Information, Protected Health Information, Patient Privacy, the EU General Data Protection Regulation (EU GDPR), the California Consumer Protection Act (CCPA) the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF and other applicable privacy laws and regulations.

Scope

This Privacy Policy describes how CRIO collects, uses, discloses, and otherwise processes personal information in connection with our websites, applications, and other services, and explains the rights and choices available to individuals with respect to their information.

Data Collected by CRIO

CRIO is a provider of software and services to life sciences companies for use in the conduct of clinical trials throughout the world. Acting as a third-party agent for our customers, CRIO receives and processes Personal Data (e.g. name, email, phone number) from study sponsors, research sites, various consultants/subcontractors.
As part of the products and services we provide, CRIO processes personal data, protected health information (including detailed information regarding health status, medical assessments, test results).
CRIO intends that its corporate privacy policies, internal SOPs, and work practices are adequate to ensure compliance with applicable international laws and regulations including the European Union's General Data Protection Regulation (GDPR), the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF and the California Consumer Protection Act (CCPA). Detailed contractual arrangements, Standard Contractual Clauses, SOPs and business policies govern all work with customer data and are available for audit/review by customers and regulatory authorities.

Dispute Resolution

In compliance with the EU-U.S. Data Protection Framework (DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CRIO commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact CRIO at:
compliance@clinicalresearch.io or the mailing address below:
CRIO, Inc
-Data Protection Officer-
177 Huntington Ave., Suite 1703
PMB 32876
Boston, MA 02115-3153

Our EU representative is Data Protection Representative Limited (trading as 'DPR Group'), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 1-2 Marino Mart, Fairview, Dublin 3, Ireland.

Our representative in Switzerland is DataRep located at the following address:
Leutschenbachstrasse 95
Zurich, 8050, Switzerland

Our representative in the UK is DataRep located at the following address:
107-111 Fleet Street
London, EC4A 2AB
United Kingdom

Alternative Dispute Resolution

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CRIO commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the

United States, the European Union, the United Kingdom, and Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not

addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

General Data Protection Regulation (GDPR), Swiss Federal Act on Data Protection (FADP), and the UK GDPR

The GDPR is directly applicable to each member state of the European Union and affects data controllers and processors inside and outside of the EU which collect data on EU data subjects.

The Swiss Federal Act on Data Protection (FADP) is applicable to all data controllers and processors that collect data on Swiss data subjects.

The UK GDPR applies to all data controllers and processors that collect data on UK (and Gibraltar) data subjects.

CRIO assessed its technical and procedural safeguards to ensure compliance with the GDPR which are outlined below.

GDPR Definitions

For purposes of this regulation, the following definitions apply:

`personal data` means any information relating to an identified or identifiable natural person (`data subject`); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

`processing` means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

`controller` means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

`processor` means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

`third party` means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Data Privacy Framework Compliance

CRIO complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CRIO has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CRIO has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Jurisdiction

The Federal Trade Commission (FTC) has jurisdiction over CRIO's compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). CRIO is subject to the investigatory and enforcement powers of the FTC.

Binding Arbitration

By certifying against the EU-U.S. DPF, CRIO is obligated to arbitrate claims and follow terms as set forth in Annex I of the DPF principles, provided that an individual has invoked binding arbitration by delivering notice to CRIO and following the procedures and subject to conditions set forth in Annex I of Principles. For more information, visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Liability in Cases of Onward Transfers

CRIO is responsible for the processing of personal data it receives under the Data Privacy Framework and subsequently transfer to a third party agent, and may be liable for onward transfers in violation of the Data Privacy Framework Principles.

Data Subject Rights

Individuals located in the European Economic Area only, whose Personal Data CRIO processes ("Data Subjects"), have the following rights with regard to their Personal Data:

Right of access

Data Subjects may request details of their Personal Information that the organization holds. CRIO will confirm whether it is processing the individual's Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.

Right of correction

CRIO will comply with a Data Subject's request to edit and update incorrect Personal Information promptly. In the event that correction is not possible or cannot occur in a timely manner, CRIO will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.

Right to be forgotten

At a Data Subject's request, CRIO will delete their Personal Information promptly if:

it is no longer necessary to retain the Personal Information;
the Data Subject withdraws the consent which formed the basis of the Personal Information processing;
the Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing;
the Personal Information was processed illegally; or,
the Personal Information must be deleted for CRIO to comply with its legal obligations.

CRIO will inform any third parties with whom it might have shared the Data Subject's Personal Information of the deletion request. CRIO may decline a Data Subject's request for deletion if processing of their Personal Information is necessary:

to comply with a legal obligation;
in pursuit of a legal action;
to detect and monitor fraud; or,
for the performance of a task in the public interest.

Right to restrict processing of Personal Information

At a Data Subject's request, CRIO will limit the processing of their Personal Information if:

the Data Subject disputes the accuracy of their Personal Information;
the Data Subject's Personal Information was processed unlawfully and they request a limitation on processing, rather than the deletion of their Personal Information;
CRIO no longer needs to process the Data Subject's Personal Information, but the individual requires their Personal Information in connection with a legal claim; or,
the Data Subject objects to the processing pending verification as to whether an overriding legitimate ground for such processing exists.

Right to notice related to correction, deletion, and limitation on processing

In so far as it is practicable, CRIO will notify a Data Subject of any correction, deletion, and/or limitation on processing of their Personal Information.

Right to data portability

At a Data Subject's request, CRIO will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if:

the Data Subject provided CRIO with Personal Information;
the processing of the Data Subject's Personal Information is based on consent or required for the performance of a contract; or,
the processing is carried out by automated means.

Right to object

Where CRIO processes a Data Subject's Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.

Right not to be subject to decisions based solely on automated processing

Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless CRIO has received explicit consent or where the automatic processing is necessary for a contract with CRIO.

Right to withdraw consent

A Data Subject who has provided CRIO with consent to process their Personal Information has the right to withdraw any consent previously provided to CRIO at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of CRIO's collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn. Even if a Data Subject withdraws their consent, CRIO may still use the information that has been anonymized and does not personally identify the Data Subject.

Right to complain to a supervisory authority

If a Data Subject is not satisfied with CRIO's response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against CRIO in any court of competent jurisdiction. Any person at CRIO that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the Privacy Office to assist in the review of and response to the Data Subject's request. Requests will be responded to within 30 days of receipt. Under certain circumstances, CRIO may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.

Inquiries can be made by contacting compliance@clinicalresearch.io or the mailing address below:

CRIO, Inc
-Data Protection Officer-
177 Huntington Ave., Suite 1703
PMB 32876
Boston, MA 02115-3153

Our representative in Switzerland is DataRep located at the following address:
Leutschenbachstrasse 95
Zurich, 8050, Switzerland

United States, the European Union, the United Kingdom, and Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Data Protection Impact Assessment

To enhance compliance with the GDPR, CRIO carried out a data protection impact assessment to help determine the level of protection that is required. The impact assessment includes the measures, safeguards and mechanisms that mitigate the risk to the data collected and ensures the protection of personal data. Lastly, it is also utilized by CRIO to demonstrate compliance with the GDPR to the supervisory authorities.

Third Parties

Personal Information of Data Subjects may be shared with agents, contractors or partners of CRIO in connection with services that these individuals or entities perform for, or with, CRIO. These agents, contractors or partners are restricted from using this information in any way other than to provide services for CRIO, or services for the collaboration in which they and CRIO are engaged. CRIO will not give, sell, rent, loan or otherwise disclose any Personal Information to any third party, unless permitted or otherwise authorized to do so.

CRIO reserves the right to share Personal Information in response to duly authorized information requests of any law enforcement agency, court, regulator, government authority, or other third party, where we believe such disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect CRIO's rights or the rights of any third party.

We may also provide Personal Information to a third party in connection with the sale, assignment, or other transfer of the business of this Website to which the information relates, in which case We will require any such third party to agree to treat Personal Information in accordance with our Privacy Policy.

We also may share aggregate, non-personal information about CRIO's public-facing website usage with unaffiliated third parties. This aggregate information does not contain any personal identifiable information about our users.

Data Processor Subcontractors

Subcontractors of CRIO are also subject to the same requirements under the GDPR and they are also bound by any contracts with the controller.

The types of subcontractors that are being used include the following:

Cloud hosting providers
Third party software that supports our application functionality (including integrations)
Third party contractors to support the development and maintenance of our products and services.

CRIO's mechanisms for transfer of data from EU, United Kingdom, and Switzerland to the U.S.

EU-U.S. Data Privacy Framework

The adequacy decision on the EU-U.S. Data Privacy Framework from 10-Jul-2023 covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework. By committing to the EU-U.S. Data Privacy Framework, CRIO is able to leverage the adequacy decision by the European Commission and use the framework as a mechanism to safely and freely transfer data from the EEA to the United States.

Standard Contractual Clauses

Where required by the controller and where applicable, CRIO will enter into the Standard Contractual Clauses, which are approved contracts between data exporters within the EU, Switzerland and the United Kingdom and data importers in so-called "third countries", to transfer personal data from within the EU to recipients in those third countries in accordance with GDPR.

It must be noted that personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. Thus, CRIO continues to rely on the SCCs as the transfer mechanism for data from the UK and Gibraltar.

Furthermore, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland's recognition of adequacy for the Swiss-U.S. DPF. Thus, CRIO continues to rely on the SCCs as the transfer mechanism for data from Switzerland.

How does CRIO maintain compliance with GDPR?

By maintaining compliance with the EU-U.S. DPF, CRIO customers can opt to leverage the EU-U.S. DPF as an acceptable transfer mechanism.
Additionally, CRIO's standard Data Processing Addendum incorporates the Standard Contractual Clauses (SCCs) for any transfers of personal data from within the EU, Switzerland and United Kingdom to the U.S. that occur in connection with CRIO's performance of its services.

For any existing customers, whose current agreements do not already include the DPA and SCCs, CRIO can agree to amend the agreement to incorporate both.
By executing its DPA and the SCCs, CRIO becomes legally obligated to comply with the relevant requirements of GDPR that apply to CRIO's performance of its services. To that end, CRIO maintains robust internal policies and procedures to ensure data security, integrity, and data privacy.
Data collected within CRIO within a certain region is subject to be stored regionally (e.g. EEA, UK, and Swiss data is maintained in the EU data center location)
All data is encrypted (256-bit AES) in transit to CRIO's databases and is maintained in pseudonymized form within CRIO's systems.

California Consumer Privacy Act (CCPA)

To the extent applicable, CRIO complies with the California Consumer Privacy Act. The Privacy Policy for California residents can be found in CRIO's Security and Compliance section on its corporate website: https://www.clinicalresearch.io/about-crio/security-compliance/