Privacy Shield - Concept Medical
Privacy Shield

Privacy Shield

Concept Medical Inc. is committed to protecting your privacy. This privacy policy (the “Policy”) sets out the privacy principles which Concept Medical Inc. follows with respect to transfers of personal data from the European Union (EU) and Switzerland to the United States including personal data relating. 

Privacy Shield Framework

Concept Medical Inc. complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union member countries, the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Concept Medical Inc. has certified that it adheres to the EU-U.S. Privacy Shield Framework and the Swiss- U.S. Privacy Shield Framework and the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability, as set forth by the US Department of Commerce.

To learn more about the Privacy Shield program, and to view our certification, please visit http://www.privacyshield.gov.

This Policy applies to the processing of Personal Information that Concept Medical Inc. receives in the United States concerning individuals who reside in Switzerland and the EEA. This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes to prevent identification of individual persons).

If there is any conflict between the provisions in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Scope

This Policy applies to all personal information, whether in electronic or paper format, received by Concept Medical Inc. in the United States from the EU, the United Kingdom and Switzerland and outlines our general policy for the implementation of the Principles.

Definitions

For the purposes of the Policy, the following definitions shall apply:

  • “Data Processor” means any third party processing personal information on behalf of, and under the instruction of Concept Medical Inc.
  • “European Union” or “EU” means for the purposes of this Policy all countries within the European Economic Area (EEA).
  • “Clinical Trial Participant” means an individual participating in a clinical trial in the EU and providing personal information to third parties Concept Medical Inc. has contracted with to conduct the study. Clinical Trial Participant has the same meaning as “Data Subject” under Article 4 of the GDPR.
  • “Pseudonymised Data” means Personal Data that can no longer be attributed to a specific individual in the EU without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an individual. Concept Medical Inc. will protect Pseudonymised Data subject to the GDPR with the same care and high standards as Personal Data.
  • “Anonymous Data” is information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. The GDPR does not concern the processing of Anonymous Data.
  • “Clinical Trial Data” is the data collected and processed by Concept Medical Inc. for clinical trial purposes. It includes Pseudonymised Data received from third parties as well as new data generated by Concept Medical Inc. and third parties based on data collected for the clinical trial. These new data may not relate to an identified or identifiable natural person.
  • “Personal data” and “personal information” means data about an identified or identifiable individual that are within the scope of the Directive, received by Concept Medical Inc. in the United States from the European Union, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.
  • “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
  • “Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sex life. In addition, Concept Medical Inc. will treat as sensitive, any information received from a third party where that third party treats and identifies the information as sensitive.

Privacy principles

The privacy principles in this Policy are in accordance with the Principles set out in the EU-US and Swiss-US Privacy Shield Frameworks.

Notice

Where Concept Medical Inc. collects personal information directly from individuals in the EU, the United Kingdom or Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which Concept Medical Inc. discloses that information, and the choices and means, if any, that Concept Medical Inc. offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to Concept Medical Inc., or as soon as practical thereafter, and in any event before Concept Medical Inc. uses the information for a purpose other than that for which it was originally collected.

Where Concept Medical Inc. receives personal information from its subsidiaries, affiliates or other entities in the EU, the United Kingdom or Switzerland, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to who such personal information relates.

During the conduct of its operations, Concept Medical Inc. may collect and process personal information relating to:

  1. Study participants. The collection of personal information such as contact information, qualifications, debarment status and account information is to facilitate the proper conduct of research studies and to carry out other study related services. Information collected may be transferred to the third-party service providers performing study related duties and may furthermore be transferred to regulatory authorities;
  2. Customers, vendors and consultants. Concept Medical Inc. keeps contact information, account numbers and information relating to billing, together with other information which may be necessary for the daily operation of Concept Medical Inc.’s services including conducting customer, product and service surveys, direct marketing of products and services, handling customer complaints and enquiries, making disclosure under the requirements of any law applicable, any other directly related matters;
  3. Human resources data such as curriculum vitae, contract information, residential address, date of birth, gender, government identification number, account information, qualifications and training records, debarment status, performance reviews, which is processed to support Concept Medical Inc.’s human resources functions and activities including the administration of employee benefits, compensation, management of employee performance, business planning, disciplinary procedures including the investigation and reporting of complaints and for compliance with legal obligations, policies and procedures..

Concept Medical Inc. may use the personal information it collects to comply with our legal obligations, policies and procedures and for internal administrative purposes

Concept Medical Inc. may not need to furnish notice where processing is necessary to respond to a government inquiry, is required or authorized by applicable laws, court orders or government regulations, or is necessary to protect Concept Medical Inc.'s legal interests and providing notice would interfere with the above requirements.

Clinical Trial

Concept Medical Inc. contracts with a Contract Research Organisation (CRO) to run trials based on the protocols, or “instructions”, we have developed. The CRO selects investigators and study sites, processes Clinical Trial Data based on the protocol, and monitors the trial activities. CROs and third parties engaged by Concept Medical Inc. for the purposes of conducting a clinical trial are required by law and contractual undertakings to:

  • Keep your Personal Data confidential and secure; and
  • To use and disclose it for purposes that a reasonable person would consider appropriate in the circumstances, in compliance with all applicable legislation.

Categories of third parties that Concept Medical Inc. engages for clinical trials include:

  • Wholly owned subsidiaries of Concept Medical Inc.
  • Contract Research Organisations
  • Statistical Research Analysts
  • Clinical advisors
  • Technical providers for hosting and software services
  • Safety board

Choice

Concept Medical Inc. offers individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.  Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.

For sensitive information, Concept Medical Inc. will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  In addition, Concept Medical Inc. will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

Accountability for onward transfer

Transfers of personal information to a third party acting as a data processor are covered by the provisions of this Policy regarding Notice and Choice Principles.  Concept Medical Inc. holds contracts with the third-party data processor that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Concept Medical Inc. if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party data processor ceases processing or takes other reasonable and appropriate steps to remediate.

When transferring personal information to a third party acting as an Data Processor, Concept Medical Inc.: (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the Data Processor is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the Data Processor effectively processes the personal information transferred in a manner consistent with the Concept Medical Inc.’s obligations under the Principles; (iv) requires the Data Processor to notify Concept Medical Inc. if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), Concept Medical Inc. will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that Data Processor to the Department of Commerce upon request.

Concept Medical Inc. is potentially liable in cases of onward transfer to third parties of data of EU, the United Kingdom or Swiss individuals received pursuant to the Privacy Shield Framework.

Security

Concept Medical Inc. takes reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data integrity and purpose limitation

Concept Medical Inc. uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Concept Medical Inc. takes reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current. Concept Medical Inc. will only collect and store Personal Information that is relevant to fulfill the purpose and will retain such information no longer than appropriate to fulfill the purpose.

Access and correction

Upon request, Concept Medical Inc. will grant individuals reasonable access to the personal information it holds about them. In addition, Concept Medical Inc. will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been processed in violation of the Principles.

Verification

Concept Medical Inc. will use a self-assessment verification approach and conduct compliance audits of its applicable privacy practices to verify adherence to this policy. Concept Medical Inc.'s employees receive ongoing privacy awareness training on Concept Medical Inc.'s privacy principles and practices.

Recourse, enforcement and liability

Any complaints or concerns regarding the use or disclosure of personal information transferred from the EU, the United Kingdom or Switzerland to the US should in the first instance be directed to the Concept Medical Inc. Global Data Protection Officer at the address given below. Concept Medical Inc. will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles within 45 days of receiving a complaint. Complaints that cannot be resolved internally will be referred to the applicable EU Data Protection Authorities or the Swiss Federal Data Protection and Information Commissioner (FDPIC) to address complaints and provide appropriate recourse, which will be provided free of charge to the individual. Concept Medical Inc. is committed to following the determination and advice of these authorities. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.

Concept Medical Inc. complies with the Privacy Shield Principles and is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Any employee that Concept Medical Inc. determines is in violation of this policy will be subject to disciplinary action.

Limitation on scope of principles

Adherence by Concept Medical Inc. to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.

Changes to this policy

This policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy, as stated.

Contact information

Questions, complaints or comments related to this policy, data processing or data collection should be submitted to the Concept Medical Global Privacy department:

Attention: Privacy department
Concept Medical B.V.
Hogebrinkerweg 33, 3871KM Hoevelaken, The Netherlands.
pivacy@conceptmedicals.com