CRF Health complies with global Privacy regulations. Below find both our Internet Privacy Policy relating to our public internet site as well as our Data Privacy Policy which pertains to clinical and company staff personal data collection.” and link the words “Internet privacy policy” and “data privacy policy” accordingly .

Data Privacy Policy

Internet Policy

Data Privacy Policy

1. Purpose

The overall purpose of this Policy is to outline the responsibilities and procedures that are in place to ensure the privacy and confidentiality of all personally identifiable data and sensitive information (“personal data”) provided to, or collected and processed by CRF Health electronic clinical outcome assessment tools. Note that CRF Health goal is not to collect patient (trial subject) identifiers other than site and subject number. The intent is that through use of the CRF Health database alone, data cannot be traced to identify a specific patient. Changes to this approach should be described in the applicable trial documents.

This policy is associated with the CRF Health Internet Privacy Policy QMS-0-0-3 which pertains only to data collected via the company public website.

This policy document is comprised of multiple sub-policies listed below:

1. European Privacy Directive assuring EU privacy via contracted Model Clauses.

2. The US Health Information Portability & Accountability Act – HIPAA.

3. The EU – US Privacy Shield and Swiss – US Privacy Shield programs.

CRF Health respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. CRF Health strives to collect, use and disclose personal data in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.

CRF Health may receive personal data from outside of the European Economic Area (EEA), Switzerland, or the US. Typically, this would be from customer or suppliers and this policy would be applied in respect of personal data, unless stricter local requirements, as identified with the information supplier or superseded in a contract. The policy applies to personal data held by CRF Health for:

1. All individuals who provide personal data including (but not limited to); customers, investigator site staff, clinical trial subjects, suppliers, job applicants and employees (past and present).

2. All CRF Health locations.

3. Personal data, in all media, from the point of receipt by CRF Health through processing and to final disposition (e.g., destruction or transfer of ownership of that data).

The CRF Health QMS and systems are developed and maintained in a manner that will ensure that CRF Health conducts its business in compliance with applicable data protection and confidentiality regulations and laws. These regulations, laws and guidelines are specifically listed in QMS 0-0-1 (Regulatory Compliance).

2. Definitions

For purposes of this Policy, the following definitions shall apply as defined in the US and EU:

a) CRF HEALTH

Means CRF Inc., its successors, subsidiaries, divisions and groups.

b) EUROPE, EU, EUROPEAN ECONOMIC COMMUNITY (EEC), or EUROPEAN

Refers to a country in the European Union.

c) THIRD PARTY

Means any individual or entity

d) EMPLOYEE

Means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of CRF Health or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area.

e) PERSONAL INFORMATION

Any information relating to an identified or identifiable natural person. This does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

f) PERSONAL DATA EU

As defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.

g) PERSONAL HEALTH INFORMATION (PHI), INDIVIDUALLY IDENTIFYABLE HEALTH INFORMATION (IIHI) – US HIPAA

Any information about an individual including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or genetic/biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

h) DATA SUBJECT

Means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Customers residing in Switzerland, a Data Subject also may include a legal entity.

i) DATA CONTROLLER (EU)

Party determining the means and purpose of processing the personal data (may be a person, agency, public authority or other institution). CRF Health acts as the data controller for personal and sensitive information that is not captured as part of supporting a clinical trial under the direction of a customer. CRF Health acts as the data controller for personal and sensitive information when it processes (or has a third party process on its behalf) the personal information of its employees and customers.

j) DATA PROCESSOR (EU)

The Party handling / processing personal data on behalf of another (the DATA CONTROLLER), under the DATA CONTROLLER’S instruction. CRF Health acts as the data processor for any personal and sensitive information captured as part of trial conduct, under the direction of the customer (Sponsor) in their capacity as DATA CONTROLLER.

k) BUSINESS ASSOCIATE, AGENT (US) – HIPAA

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. CRF Health acts as the business associate for any personal and sensitive information captured as part of trial conduct, under the direction of the customer (Sponsor) in their capacity as a covered entity.

l) SENSITIVE PERSONAL INFORMATION

Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life. In addition, CRF Health will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

m) INDIVIDUAL CUSTOMER

Means an Individual customer or client of CRF Health from EU or Switzerland. The term also shall include any individual agent, representative, of an individual customer of CRF Health and all employee of CRF Health where CRF Health has obtained his or her Personal Data from such Individual Customer as part of its business relationship with CRF Health.

3. Compliance with Legal Obligations

Unless otherwise prohibited in this Policy, CRF Health may process personal data and sensitive information (a) to the extent required to respond to a contractual, legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

4. Types of Information Collected

CRF Health may collect personal data from sponsor, site personnel, and employees, and personal sensitive information through clinical trial and general business activities. CRF Health takes appropriate action where unsolicited confidential data is received to prevent / minimize the risk of recurrence.

4,1. Clinical Data

Clinical data is collected in anonymized form (unique trial subject identifier) in accordance with industry standards. Where unsolicited trial subject identifying information is received, appropriate action will be promptly taken to ensure that the information is not stored or disseminated further. See Section 6 for how receipt of unsolicited data is managed.

4,2. Other Data

This includes all other identifiable and personal data other than clinical data. This includes (but may not be limited to) first name, last name, physical address, email address and telephone number of investigator site staff, visitors to the CRF Health website, job applicants and employees, customers and suppliers.

5. Modes of Personal Data Capture/Storage

CRF Health captures personal data via different routes. The term capture shall be taken to encompass both solicited and unsolicited receipt of personal data.

5,1. Web based (Internet and TrialManager Web Portal)

CRF Health sees the Internet and the use of other technologies as necessary tools for communicating and interacting with consumers, employees, healthcare professionals, business partners, and others.

CRF Health recognizes the importance of maintaining the privacy of information collected online and posted its Internet Privacy Policy governing the treatment of personal data collected through web sites that CRF Health operates. The associated Internet Privacy Policy also reflects additional legal requirements and evolving standards with respect to Internet privacy. CRF Health’s Internet Privacy Policy can be found at http://www.crfhealth.com/privacy

The CRF Health website allows interested parties to request information and demonstrations of company services. As part of this request for information or services via the website, the user must supply personal data. The CRF Health TrialManager Web Portal allows users to view content pertinent to the clinical trial through a secured website, should one be employed for a trial. The Security Policy (QMS 0-1) and related QMS procedures further complement this policy and the Internet Privacy Policy to cover the measures employed to assure the privacy and confidentiality of information captured and made available via web based means.

5,2. Email

All employees are individually responsible for all electronic mail sent from their account and for the appropriate handling of personal data received into their account. Care will always be taken to evaluate whether e-mail is the most appropriate method for dissemination of personal data. Further detail is provided in the relevant security procedures and company handbook in relation to use of email.

5,3. Telephone

Where communication of information is by telephone, care will always be taken to evaluate whether this is the most appropriate method for discussion and / or dissemination of personal data.

5,4. Paper based Information

Paper based information that is current and required for ongoing study and/or general business activities are maintained, wherever possible, in locked cupboards or otherwise restricted areas; however, the CRF Health standard is to maintain records in electronic form. Paper is considered to be the backup to the electronic record. When paper information ceases to be required, it is destroyed confidentially, by shredding. Wherever appropriate and possible, printers that are not general access printers will be used to print such information. QMS 7-2-1 (Asset Control) further supports appropriate maintenance and security measures in respect of confidential and sensitive documents via its information asset classification system.

6. Receipt of unsolicited Personal Identifying and/or Sensitive Information

The possibility of receipt of unsolicited personal data is acknowledged by CRF Health. Receiving, storing or further disseminating or otherwise processing such personal data may be incompatible with CRF Health’s commitment to the principles of transparency and purpose limitation, since the individual (data subject) may not be aware of the dissemination of that personal data to CRF Health. It is CRF Health policy, on receipt of such personal data to take all necessary actions to halt further processing or dissemination of that personal data and to prevent the risk of recurrence of same.

The individual receiving such personal data will, on receipt (and without further sharing the personal data, including to Quality Management) notify Quality Management or other designated Privacy Official and raise an NCR (taking care not to capture any of the personal data in the NCR) that personal data has been received, providing relevant information regarding the supplier of the personal data, circumstances of receipt and project (if applicable). At the same time, the personal data in question will be destroyed and the supplier notified that they have made an errant transfer of personal data (this may be achieved via the Sponsor or CRA for Investigator Sites). If the transmission contained other, non-identifiable data that is required by CRF Health, the supplier should be requested to re-supply without the personal identifiers. CRF Health Quality Assurance will monitor NCRs for any trends in unsolicited data to permit escalations as appropriate for repeated occurrences.

7. Access to Personal and Sensitive Information

Access to information and systems is restricted to appropriate staff. For data held on the CRF Health network, this is managed via the Security Policy (QMS 0-1) and related IT and Security QMS documents. In accordance with national and international laws, data subjects (individuals or groups to whom the personal information pertains) have the right of access personal data CRF Health holds on them to ensure that it is accurate and up-to-date, to have the ability to request it’s correction/modification or to request deletion of all or part of that information if it is inaccurate or no longer necessary for the purposes for which CRF Health has collected the personal information.

8. Retention and Archiving of Information

CRF Health does not keep personal data any longer than necessary to meet the business purpose for which it was collected, unless legal or regulatory reasons require that the information not be deleted.

Where it is required that information is not deleted, CRF Health will retain that information for the minimum period required by law or regulation. QMS 6-1 (Documentation) provides a records retention schedule.

In the case of clinical data, on transfer of ownership of information back to a Sponsor or Investigator, it shall be deemed that the new owner becomes responsible for assuring the confidentiality and security of the information.

9. Training and Awareness

Training in Privacy and Data Protection is mandatory for employees of CRF Health. In addition, all employees, regardless of contract type (permanent, temporary, etc.) are provided with access to this Policy and must acknowledge this policy within the Quality Management System Tool.

10. Clinical Trial Subject Data Obligations

Where trial subject data is processed by CRF Health (this would be pseudo – anonymized as standard but may contain e.g., year of birth), this will be processed in line with this policy, although the responsibility for ensuring that the trial subject is duly consented to processing of their data in accordance with applicable regulation lies solely with the Sponsor and Investigator site in obtaining that informed consent using the Ethics / IRB approved consent documents.

11. HIPAA Privacy Policy

11,1. Individually Identifiable Health Information

Personal Health Information collected within the US is pseudo-anonymised by patient ID. Some additional HIPAA personal information is collected for patient SMS text message reminders and electronic Informed Consent forms, but this information is obfuscated within the computer systems viewable by only the patients and their authorized investigators. All US data will be managed the same as EU data as all data is stored (processed) within the EU and becomes subject to EU legislation.

12. EU Directive Model Clauses Privacy Policy

The European Commission is empowered to recognize standard contractual clauses (known as model contract clauses) as offering adequate safeguards for the purposes of Article 26(2) of the Directive. The European Commission has approved model contract clauses that can be used by data exporters and data importers to transfer data outside the EEA. Where processing personal data is involved CRF Health utilizes appropriate model contract clauses (controller to controller and controller to processor) between its affiliates and with its customers and vendors to provide adequate safeguards for the processing of personal data.

The EU Data Protection Directive (Directive 95/46/EEC) requires transposition into Member State Regulation. As part of this transposition, a Member State my incorporate stricter requirements based upon the Directive. Recognizing variations in applicable local regulation, CRF Health is also registered as a Data Controller with the United Kingdom Information Commissioner’s Office (ICO). To see the CRF Health entry on the ICO Register, go to: http://ico.org.uk/ .

CRF Health policy is to follow the higher standard where applicable.

12,1. Data Transfer Mechanism

12,2. Model Clauses Privacy Principles

12.2.1. Data Controller

Where CRF Health is a data controller with respect to personal data from individuals in the EEA, it will inform them about the purposes for which it collects and uses this information about them, the types of non-agent third parties to which CRF Health discloses that personal data, whether it intends to transfer personal data to a third country and the choices and means, if any, CRF Health offers individuals for limiting the use and disclosure of their personal data.

Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to CRF Health, or as soon as practicable thereafter, and in any event before CRF Health uses or discloses the information for a purpose other than that for which it was originally collected.

Where CRF Health receives personal data from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal data relates.

12.2.2. Purpose Limitation

CRF Health will process personal data and subsequently use personal data only for specified purposes or as subsequently authorized by the data subject.

12.2.3. Data Quality and Proportionality

CRF Health will have in place processes designed to ensure that personal data is accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

12.2.4. Transparency

CRF Health will provide data subjects with information designed to ensure fair processing, such as information about the purpose of processing and data transfer.

12.2.5. Rights of Access, Rectification, Deletion and Objection

CRF Health take reasonable precautions designed to ensure that personal data processed by CRF Health is accurate and, where necessary, kept up to date. CRF Health will take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without unreasonable delay. CRF Health will provide data subjects with personal information about them that CRF Health holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law.

12.2.6. Security and Confidentiality

CRF Health will take reasonable precautions to process personal data in a way designed to ensure appropriate protection of personal and/or sensitive information in its possession, including protection from accidental loss or destruction, misuse and unauthorized access, disclosure, alteration and destruction.

This will be achieved via appropriate physical and logical security mechanisms as set out in the Security Policy (QMS 0-1) and related security QMS documents.

Computer systems, equipment, networks, programs, data, and documentation are secured to the extent reasonably possible using existing technology.

Where personal data is to be transferred on physical media, the media will be kept away from any means of reading that information and appropriate password protection, encryption, or other means used to minimize the risk of unauthorized access to that information.

Further details of security mechanisms for transfer of personal data electronically and transport by employees of personal data is addressed in the applicable security QMS documents.

12.2.7. Enforcement

CRF Health will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy as well as continued suitability of this policy and related procedures for assurance of compliance with applicable privacy and data protection legislation. Should gaps or areas for improvement be identified, these will be addressed in accordance with the relevant procedures.

Where there is determined to be willful violation of this policy by an employee, that employee shall be subject to disciplinary action up to and including termination of employment. Any unsolicited reports or other serendipitous evidence of potential failures of compliance with this policy will be appropriately investigated with actions as commensurate with the result of that investigation implemented.

12.2.8. Dispute Resolution

Any questions or concerns regarding the use or disclosure of personal data should be directed to the head of CRF Health’s Quality Management stream or other designated Privacy Official. CRF Health will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between CRF Health and the complainant, CRF Health will refer to the dispute to the appropriate dispute resolution mechanism specified by the model contract clauses to which the dispute relates.

13. Privacy Shield Policy

CRF Inc. d.b.a CRF Health has adopted this Privacy Shield Policy (“Policy”) to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that CRF Health obtains from Customers located in the European Union and Switzerland.

CRF Health complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. CRF Health has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

The Federal Trade Commission (FTC) has jurisdiction over CRF Health’s compliance with the Privacy Shield.

All CRF Health employees who handle Personal Data from Europe and Switzerland are required to comply with the Principles stated in this Policy.

13,1. SCOPE

This Policy applies to the processing of Individual Customer Personal Data that CRF Health receives in the United States concerning Individual Customers who reside in the European Union and Switzerland. CRF Health provides products and services to the pharmaceutical industry.

This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)

13,2. RESPONSIBILITIES AND MANAGEMENT

CRF Health VP Regulatory Affairs or Management designee will oversee its information security program, including its compliance with the EU- US Privacy Shield and Swiss US Privacy ShieldPrograms. The VP Regulatory Affairs shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to regulatory@crfhealth.com.

CRF Health will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. CRF Health personnel will receive training, as applicable, to effectively implement this Policy. Please refer to Section 15,7 for a discussion of the steps that CRF Health has undertaken to protect Personal Data.

13,3. RENEWAL / VERIFICATION

CRF Health will renew its EU – US Privacy Shield and Swiss Privacy Shield certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, CRF Health will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Individual Customer Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, CRF Health will undertake the following:

n) Review this Privacy Shield policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Customer Personal Data

o) Ensure that the publicly posted privacy policy informs Individual Customers of CRF Health’s participation in the EU Privacy Shield and US Swiss Safe Harbor programs and where to obtain a copy of additional information (e.g., a copy of this Policy)

p) Ensure that this Policy continues to comply with the Privacy Shield principles

q) Confirm that Individual Customers are made aware of the process for addressing complaints and any independent dispute resolution process (CRF Health may do so through its publicly posted website, Individual Customer contract, or both)

r) Review its processes and procedures for training Employees about CRF Health’s participation in the Privacy Shield programs and the appropriate handling of Individual’s Personal Data

CRF Health will prepare an internal verification statement on an annual basis.

13,4. COLLECTION AND USE OF PERSONAL DATA

CRF Health may collect personal data from sponsor, site personnel, and employees, and personal sensitive information through clinical trial and general business activities. CRF Health takes appropriate action where unsolicited confidential data is received to prevent / minimize the risk of recurrence. See section 3 & 4 of this policy for further details.

13,5. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA

Except as otherwise provided herein, CRF Health discloses Personal Data only to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes. Such recipients must agree to abide by confidentiality obligations.

CRF Health may provide Personal Data to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, CRF Health may store such Personal Data in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by CRF Health and they must agree, via written contract, to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy.

CRF Health also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Please be aware that CRF Health may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. CRF Health is liable for appropriate onward transfers of personal data to third parties.

13,6. SENSITIVE DATA

CRF Health does collect pseudo-anonymized Sensitive Data from clinical trial subjects. These patients have opted-in during their enrollment into our customers’ clinical trials. This information will only be used for what it was expressively consented by the individual subjects.

13,7. DATA INTEGRITY AND SECURITY

CRF Health uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate. CRF Health has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to CRF Health’s electronic information systems requires user authentication via password and appropriate role, or similar means. CRF Health also employs access restrictions, limiting the scope of employees who have access to Individual Customer Personal Data.

Further, CRF Health uses secure encryption technology to protect certain categories of personal data. Despite these precautions, no data security safeguards guarantee 100% security all of the time.

13,8. NOTIFICATION

CRF Health notifies Individual Customers about its adherence to the EU-US Privacy Shield and Swiss – US Privacy shield principles through its publicly posted website privacy policy, available at: http://www.crfhealth.com/privacy/ and take Individual customers approval and adherence to the current policy when they provide their information to us in the transactional process.

13,9. ACCESSING PERSONAL DATA

CRF Health personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

13,10. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA

13.10.1. Right to Access

Individual Customers have the right to know what Personal Data about them is included in the databases and to ensure that such Personal Data is accurate and relevant for the purposes for which CRF Health collected it. Upon reasonable request and as required by the Privacy Shield principles, CRF Health allows Individual Customers access to their Personal Data by contacting CRF Health by phone or email. To request erasure of Personal Data, Individual Customers should submit a written request to their local CRF Health office.

13.10.2. Requests for Personal Data.

CRF Health will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise: (a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from the Data Subject. If CRF Health receives a request for access to his/her Personal Data from an Individual Customer, then, unless otherwise required under law or by contract with such Individual Customer, CRF Health will refer such Data Subject to the Individual Customer.

13.10.3. Satisfying Requests for Access, Modifications, and Corrections.

CRF Health will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data.

13,11. ENFORCEMENT AND DISPUTE RESOLUTION

In compliance with the EU-US Privacy Shield and Swiss-US Privacy Shield Principles, CRF Health commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact CRF Health at: regulatory@crfhealth.com.

If a Customer’s question or concern cannot be satisfied through this process, CRF Health has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

If your complaint is not satisfactorily addressed, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”), and for Swiss Data Subjects, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. CRF Health agrees to cooperate with the relevant national DPAs and to comply with the decisions of the DPA Panel and the FDPIC.

Should your complaint remain fully or partially unresolved after a review by CRF Health, BBB EU Privacy Shield and the relevant DPA, you may be able to, under certain conditions, seek arbitration before the Privacy Shield Panel. For more information, please visit www.privacyshield.gov.

CRF Health is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

14. CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the HIPAA, EU, & Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make employees available of changes to this policy either by posting to our intranet, through email, or other means. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.

15. QUESTIONS OR COMPLAINTS

Questions or comments regarding this Policy should be submitted to the head of CRF Health Regulatory Affairs or designated Privacy Officer by mail as follows:

CRF Health Regulatory Affairs/Privacy Officer Suite 300 4000 Chemical Road Plymouth Meeting, PA 19462

Internet Policy

1. Purpose

This document describes how CRF Health handles personal information gathered during user sessions on the company’s public internet site. It is written in the context of someone who would be reading the company’s website. Items under sections 2 and 5 require inputs and controls by CRF Health staff. This policy will be posted on our company website. This policy is associated with the CRF Health Privacy Policy QMS-0-0-2 which pertains to data collected via the company electronic clinical outcome assessment tools.

2. Internet Privacy Policy

CRF HEALTH’S ONLINE PRIVACY COMMITMENT TO YOU

CRF Health Management Limited and its subsidiaries (collectively, “CRF Health”) offers online newsletters and mailings of information about our organization. This is designed to provide product-related information and services, as well as corporate and financial news and employment information.

Respect for the privacy of personal information about you is very important to CRF Health. CRF Health is committed to adhering to this Privacy Policy, as well as applicable laws, rules and regulations. This Privacy Policy applies to Personal Information (as defined below) collected by CRF Health’s online resources located under the domain name [http://www.crfhealth.com], and subdomains of crfhealth.com, including all related pages (“Web Site”). This Privacy Policy does not apply to personal information collected from offline resources and communications. This Privacy Policy also does not apply to third-party online resources to which this Web Site may link, frame or otherwise reference.

Please read this Privacy Policy carefully. Should you have any questions about this Privacy Policy or CRF Health’s data collection, use and disclosure practices, please contact us at the address, [http://www.crfhealth.com/contact/] that is most relevant to you.

(1) How does this Privacy Policy define “Personal Information”?

The term “Personal Information” as used throughout this Privacy Policy, applies to any information or set of information that is collected by CRF Health through its Web Site that can identify you (if provided by you), such as your name, address, phone number, e-mail address, company name and position.

(2) Why does CRF Health collect, use and disclose Personal Information?

CRF Health collects identifying information when you visit the Web Site (including, without limitation, any crfhealth.com web pages or landing pages), and when you submit data to through a form such as those found on gated resources and contact pages.

When you visit the Web Site, CRF Health collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information. For example, CRF Health uses IP addresses to monitor the regions from which you navigate CRF Health’s Site.

In addition, we receive and store certain types of information whenever you interact with us via our Web Site, including what pages you visit and activities you perform on our Site. CRF Health automatically receives and records certain “traffic data” including your IP address, third party cookie information, and the page you requested. CRF Health uses this traffic data to help diagnose problems with its server, analyze trends and administer the Web Site. We may also use any data we collect on or through the Web Site to better understand and market to our customers or website users, individually or in the aggregate.

CRF Health collects and uses Personal Information for several general purposes: to fulfill your requests for certain products and services, to personalize your experience on our Web Site, to keep you up to date on the latest product announcements, software updates, special offers or other information we think you would like to hear about, and to better understand your needs and provide you with better services. We may also use your information to send you direct marketing information or contact you for market research using automated tools to contact multiple recipients.

CRF Health will give you the opportunity to “opt out” of receiving such materials. This means we assume you have given us your consent to collect and use your information in accordance with this Privacy Policy unless you take affirmative action to indicate that you do not consent, for instance by clicking or checking the appropriate option or box at the point of collection or upon receiving an automated email or text message.

(3) Who will have access to personal information about me?

Personal information about you will be accessible to CRF Health, including its subsidiaries, divisions and groups worldwide.

CRF Health may also share such information with agents, contractors or business partners of CRF Health in connection with services that these individuals or entities perform for, or with, CRF Health. Such third parties are restricted from using this data in any way other than providing services for or on behalf of CRF Health or its affiliates.

Except as set forth above, we will not otherwise use or disclose any of your personally identifiable information, except to the extent reasonably necessary: (i) to correct technical problems and malfunctions and to technically process your information; (ii) to protect the security and integrity of our Web Site; (iii) to protect our rights and property and the rights and property of others; (iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or (vi) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety, as applicable. In addition, CRF Health reserves the right to provide any or all collected Personal Information to a third party in connection with the sale, assignment, or other transfer of the business to which the information relates if such third party agrees to treat all such information in accordance with this Privacy Policy.

(4) How does CRF Health secure personal information?

We use appropriate security measures to protect against the loss, misuse and alteration of data used by our system. It is your personal responsibility to secure your own copies of your passwords and related access codes for our online resources.

(5) How can you stop receiving e-mails or other marketing information from CRF Health?

If you wish to stop receiving emails or other marketing information from us you can instantly unsubscribe Using the “Unsubscribe” hyperlink found at the bottom of each of our marketing emails. You may also visit our unsubscribe page at http://pages.crfhealth.com/unsubscribe.html

(6) How does CRF Health protect the privacy of children?

In general, CRF Health’s Web Site is not directed at children and all of the online content that we offer is designed for individuals who are 18 years of age or older.

(7) How may I access and correct personal information about me?

To gain access to personal information about you collected online, and to keep it accurate, complete and current, you may contact us at the address most relevant to you. [http://www.crfhealth.com/contact/] Where permitted by law, your ability to access and correct personal information will be limited where access and correction would: (i) inhibit CRF Health’s ability to comply with a legal or ethical obligation; (ii) inhibit CRF Health’s ability to investigate, make or defend legal claims, result in disclosure of personal information about a third party; or (iii) result in breach of a contract or disclosure of trade secrets or other proprietary business information belonging to CRF Health or a third party.

(8) Cookie Policy

CRF Health uses cookies, tracking pixels and related technologies. Cookies are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website. Also, cookies may also be used to track how you use the site to target ads to you on other websites. A “session cookie” expires immediately when you end your session (i.e., close your browser). A “persistent cookie” stores information on the hard drive so when you end your session and return to the same website at a later date, the cookie information is still available. A web beacon is a small string of code that represents a clear graphic image, a redirect URL or JavaScript and is used in conjunction with a Cookie.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this Web Site. Therefore it is recommended that you do not disable cookies although the final decision is yours.

The Cookies We Set

When you visit our Web Site, we may use both session and persistent cookies. This cookie may contain information (such as a unique user ID) that is used to track your usage of our Web Site, and may be used to send you ads or offers when you browse our Web Site or other websites. CRF Health employs cookies to enable our systems to recognize your browser and tell us how and when pages in our Web Site are visited and by how many people, and also in order for our server to recognize a return visitor as a unique user.

CRF Health uses Web beacons alone or in conjunction with cookies to compile information about your usage of CRF Health’s Web Site and interaction with emails from CRF Health. For example, CRF Health may place Web beacons in marketing emails that notify CRF Health when you click on a link in the email that directs you to CRF Health’s Web Site. CRF Health uses Web beacons to operate and improve CRF Health’s Web Site and email communications and to send more customized or relevant emails, advertisements and offers to users.

Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site. Third party analytics are used to track and measure usage of this site so that we can continue to produce engaging content. These cookies may track things such as how long you spend on the site or pages you visit which help us to understand how we can improve the site for you.

This Web Site uses an automation system provided by Marketo, Inc., which uses cookies to recognize you as a unique user when you return to the site, and to track various data related to your website usage in order to provide custom content or services related to your specific interests. The cookies placed by the Marketo server are readable only by Marketo. For more information on Marketo cookies and what they are used for, click here.

CRF Health uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on your computer, to analyze your use of the website. The information generated by the cookie about your use of this website (including your shortened IP address) is transmitted to a Google server in the U.S. and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and to provide other services related with the website and internet use. Google may also transfer this information to third parties if required by law, or where third parties process these data on behalf of Google. For more information about Google Analytics, or to opt out of Google Analytics, please go to: https://tools.google.com/dlpage/gaoptout

Opting Out of Targeted Advertising

You may opt out of targeted advertising by visiting the DAA opt-out site (www.aboutads.info) or the NAI opt-out site (networkadvertising.org/choices), or for those in Europe, the EDAA opt out site (youronlinechoices.eu).

(9) What is CRF Health’s contact address for privacy questions?

Should you have questions about this Privacy Policy or CRF Health’s information collection, use and disclosure practices, you may contact us via email at hello@crfhealth.com. When you contact us, please note the name of the Web Site or other online resource to which you provided the information, as well as the nature of the information that you provided. We will use reasonable efforts to respond promptly to requests, questions or concerns you may have regarding our use of personal information about you. Except where required by law, CRF Health cannot ensure a response to questions or comments regarding topics unrelated to this Privacy Policy or CRF Health‘s privacy practices.

(10) How will I know when CRF Health has updated this Privacy Policy?

CRF Health may update this Privacy Policy periodically. CRF Health reserves the right to modify, add or remove portions of this privacy statement at its discretion. If we decide to change this Privacy Policy, we will post those changes at this Web Site

EUROPEAN UNION DATA PROTECTION DIRECTIVE

In accordance with Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, the Annex titled “Standard Contractual Clauses” is hereby incorporated by reference in its entirety. With respect to such Annex the “Data Exporter” shall be defined as you and the “Data Importer” shall be defined as CRF Health. You may find a complete version of the text on our regulatory page [http://www.crfhealth.com/regulatory/].

NO REPRESENTATIONS/ NO LIABILITY

CRF Health makes no representations about the content of the information found on this Web Site. The information presented on this Web Site is provided to you “AS IS,” WITHOUT ANY WARRANTY, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE.

Under no circumstances shall CRF Health assume liability for the use or interpretation by you of information found on this Web Site; rather, this will be your responsibility.

CRF Health expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to this Web site and/or the information contained on this Web Site, even if CRF Health is proven negligent.

Vereinbaren Sie ein Beratungsgespräch
und eine Plattform-Demo

Powered By OneLink