Additional Privacy Notice for Clinical Trial Subjects in Jurisdictions Subject to GDPR Regulation
In context of your enrollment with a Covered Clinical Trial, we collect personal data about you when the Sponsor subscribes to the Services and designates you as a Clinical Trial Subject, and when you register to use and thereafter use the Services. We do not collect personal data about you from any third party but the Sponsor.
1. Personal Data we may collect and be Processing:
Such data are: your mobile phone number, and audio/video images of you performing one or more sequences of steps, such a administering medication, or answering questions in response to prompts presented to you. This data is initially collected in a non-anonymized, non-pseudonymized format. The data is stored in an encrypted format, both when in motion and at rest.
2. Use of your Personal data
To provide our Covered Clinical Trial Services, we may process your personal data for the following purposes:
- to set up your account;
- to confirm that you are the person using our application each time;
- to record the timing and dose of medications that you take;
- to store audio video recordings of you taking your medications;
- to record the timing and dose of your other interactions with our application;
- to process stored audio/video recordings;
- to irrevocably anonymize your personal data, after which we may disclose it to third parties for research or similar purposes.
3. Lawful Grounds
In context of your enrollment with a Covered Clinical Trial, the lawful ground for processing your collected Personal data is your explicit consent. To the extent not provided in your explicit consent, the lawful ground for processing your other personal data is the Sponsor’s desire to accomplish a legitimate objective without prejudice to your overriding privacy and other important interests in ensuring that your medication adherence is consistent with the clinical trial protocol and the doses prescribed for you, that you respond to any provided questions or evaluations so that your treatment is optimized and the clinical trial results are as reliable as possible.
You may revoke this consent at any time free of charge in the same manner as such consent was given or in any other form of communication that makes sure we receive your communication. If you withdraw your consent we will no longer process your data unless we are relying on grounds different from your consent for processing the data in question. Also, the withdrawal of your consent does not affect the lawfulness of any processing based on your consent that occurred prior to your withdrawal.
4. Retention of Data
Any collected audio/video recordings and identifiable data will be deleted at the end of the Covered Clinical Trial.. FDA regulations may require us retain a clinical trial related data after the completion of a study as defined by the entity conducting the Covered Clinical Trial).
5. Third Party Access to Data
We will not share your data with third parties unless we have obtained your consent or there is another legal basis recognized by the applicable data protection laws of the European Union or its Member States, such as the fulfillment of a contract you may have entered into with us. Moreover, as we are regulated by the U.S. agency overseeing the medical device industry, the FDA, we may be compelled to disclose such data to the FDA in the context of regulatory investigations.
In addition we may be granting third parties access to your data as we reasonably believe to be necessary (a) to comply with applicable law, including laws outside your state or country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your state or country of residence; provided that in all instances mentioned in (a) – (c) the subject request is based upon an international agreement, such as a mutual legal assistance treaty, in force between a requesting third country and the European Union, or a Member State, or is lawful based on other grounds recognized by the GDPR or applicable laws of EU Member States. We may also share your data with third parties to the extent that is reasonably required for us (a) to enforce our terms and conditions; or (b) taking into account your fundamental rights and freedoms, (i) to protect our operations or those of any of our affiliates; (ii) to protect your rights, privacy, safety or property, and/or ours or that of our affiliates or others; and (iii) to allow us to pursue available remedies or limit the damages that we may sustain. We may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
6. Transfers of Personal Data to Countries Outside the EU
We are located in the United States and enter into the EU approved Standard Contractual Clauses, or rely on the new Data privacy Framework as set forth below, as a data processor in order to transfer your data to the United States. We also implement additional safeguards to mitigate any additional risk posed by transferring your data to the United States. By submitting your personal data via the Application, your personal data will be transferred to us pursuant to these Standard Contractual Clauses and Additional Safeguards.
AiCure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. AiCure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. AiCure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit(https://www.dataprivacyframework.gov/s/).
All participating organizations must inform individuals about each element listed in the Notice Principle, including the participating organizations’ liability in cases of onward transfers to third parties. The Accountability for Onward Transfer Principle explains that AiCure retains responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf (an “onward transfer”). AiCure shall remain liable under the DPF Principles if our agent processes such personal information in a manner inconsistent with the DPF Principles, unless AiCure proves that it is not responsible for the event giving rise to the damage.
7. Your Rights as a Data Subject
You may exercise your rights as a data subject listed in this Section 7 by contacting us at privacy@aicure.com or by writing to us at the address listed in Section 8 of this Privacy Statement. We will respond to any such inquiries within one month from the date we receive your inquiry either by fulfilling request or informing you about any obstacles or questions in relation to your request. Depending on the circumstances, we may need up to two additional months to complete our response to your request.
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), AiCure LLC has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
- by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
- by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
Pursuant to the UK GDPR, AiCure LLC has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
- by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.
You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of alleged infringement, if you consider that the processing of your personal data by us or the way we respond to your inquiries infringes applicable data protection laws. A list of data protection supervisory authorities is available here. http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), AiCure commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact AiCure as set forth below.
AiCure has further committed to refer unresolved DPF Principles-related complaints to an independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf
The Federal Trade Commission has jurisdiction over AiCure’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
7.1. Accessing your Data
You have the right to request access to your personal data (including receiving a copy thereof) as well as additional information about the processing.
7.2. Correction
In case you discover factual inaccuracies with the respect to the personal data we hold with respect to you, you may request a correction to make such data factually accurate.
7.3. Right to Erasure
You are entitled to have your personal data erased under specific circumstances, such as where you have withdrawn your consent, where you object to processing based on legitimate interests and we do not have overriding legitimate grounds (see below) or where personal data is unlawfully processed, provided that applicable law does not provide otherwise. Please be advised that it may not be technologically possible to remove from our systems immediately every record of your personal data. The need to back up our systems to protect information from inadvertent loss means that a copy of your personal data may exist in a non-erasable form that may make it difficult or impossible for us to locate or remove immediately but will be stored encrypted in a data-at-rest state and will be deleted over time in accordance with our backup deletion policy.
7.4. Right to Restriction of Processing
You have the right to restrict the processing of your personal data (that is, allow only its storage) where:
– you contest the accuracy of the personal data, until the Sponsor or we have taken sufficient steps to correct or verify its accuracy;
– where the processing is unlawful but you do not want the Sponsor or us to erase the personal data;
– where the Sponsor no longer needs your personal data for the purposes of the processing, but you require such personal data for the establishment, exercise or defence of legal claims; or
– where you have objected to processing justified on legitimate interest lawful grounds (see below), pending verification as to whether the Sponsor has compelling legitimate grounds to continue processing.
Where your personal data is subject to such a restriction of processing, we will only process it with your consent or for the establishment, exercise or defence of legal claims.
7.5. Right to Object to Processing
7.5.1. Processing based on legitimate interest grounds
Where we rely upon legitimate interests to process personal data (which includes processing of all data for which we have not obtained your explicit consent), you have the right to object to that processing. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we needs to process the personal data in question for the establishment, exercise or defence of legal claims, or applicable law requires otherwise.
7.5.2. Right to object to direct marketing (including profiling)
While we do not use your personal data for direct marketing, you have the right to object to our use of your personal data (including profiling) for direct marketing purposes.
7.6. Data Portability
You have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine-readable format, and may also require us to transmit such data to another controller where this is technically feasible.
8. Contacting Us
We welcome any queries, comments, complaints or requests you may have regarding this Privacy Notice. Please do not hesitate to contact us at:
AiCure
Attn: Gordon Kessler
General Counsel, Data Privacy Officer
214 Sullivan Street, 6C
New York, NY 10012
1-800-570-0448
legal@aicure.com
AiCure has appointed 2B Advice GmbH as its European GDPR Data Protection Officer. You can reach them by sending an email to aicure@2b-advice.com.
Changes to this Notice
If we alter our Privacy Notice, you can review any changes at this web location.
Updated September 12, 2023