Additional Privacy Notice for Users in Jurisdictions Subject to GDPR Regulation
In context of your enrollment with a Covered Clinical Trial, we will seek your explicit separate consent if we intend to process certain of your personal data for purposes that may go beyond the immediate requirements of a Covered Clinical Trial. You may revoke this consent at any time free of charge in the same manner as such consent was given or in any other form of communication that makes sure we receive your communication. If you withdraw your consent we will no longer process your data unless we are relying on grounds different from your consent for processing the data in question. Also, the withdrawal of your consent does not affect the lawfulness of any processing based on your consent that occurred prior to your withdrawal.
1. Data we may be Processing:
Such data are: your mobile phone number, the IMEI identifying number associated with your mobile device, and video images of you performing one or more sequences of steps, such a administering medication, or answering questions in response to prompts presented to you. This data is initially collected in a non-anonymized, non-pseudonymized format. The data is stored in an encrypted format, both when in motion and at rest. Purpose of Supplemental Processing:
We use your data for the purpose of improving the functionality and performance of the algorithm underlying our Application so as to improve its usefulness to future patients and medical science in general.
2. Retention of Data
We will retain your data for the purposes described in the preceding paragraph (typically no longer 2 years after the end of any clinical trial in which you are enrolled, but in any event no longer than required for the making the above mentioned improvements. FDA regulations require us retain a clinical trial related data after the completion of a study as defined by the entity conducting the Covered Clinical Trial).
3. Third Party Access to Data
We will not share your data with third parties unless we have obtained your consent or there is another legal basis recognized by the applicable data protection laws of the European Union or its Member States, such as the fulfillment of a contract you may have entered into with us. Moreover, as we are regulated by the U.S. agency overseeing the medical device industry, the FDA, we may be compelled to disclose such data to the FDA in the context of regulatory investigations.
In addition we may be granting third parties access to your data as we reasonably believe to be necessary (a) to comply with applicable law, including laws outside your state or country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your state or country of residence; provided that in all instances mentioned in (a) – (c) the subject request is based upon an international agreement, such as a mutual legal assistance treaty, in force between a requesting third country and the European Union, or a Member State, or is lawful based on other grounds recognized by the GDPR or applicable laws of EU Member States. We may also share your data with third parties to the extent that is reasonably required for us (a) to enforce our terms and conditions; or (b) taking into account your fundamental rights and freedoms, (i) to protect our operations or those of any of our affiliates; (ii) to protect your rights, privacy, safety or property, and/or ours or that of our affiliates or others; and (iii) to allow us to pursue available remedies or limit the damages that we may sustain.
4. Transfers of Personal Data to Countries Outside the EU
We are located in the United States and are EU-US Privacy Shield certified. This means that we are committed to treating any data you transmit to us from the EU to the US in accordance with the Privacy Shield Principles (https://www.privacyshield.gov/EU-US-Framework). Entities like ours that certify to the Privacy Shield principles are considered to offer adequate protection to personal data, as determined by the European Commission. By submitting your personal data via the Application, your personal data will be transferred to us pursuant to these EU-U.S. Privacy Shield principles. For information with respect to the enforcement mechanisms available to protect your rights under the EU-U.S. Privacy Shield Mechanism, see the respective statements on our main website.
5. Your Rights as a Data Subject
You may exercise your rights as a data subject listed in this Section 2.6 by contacting us at firstname.lastname@example.org or by writing to us at the address listed in Section 5 of this Privacy Statement. We will respond to any such inquiries within one month from the date we receive your inquiry either by fulfilling request or informing you about any obstacles or questions in relation to your request. Depending on the circumstances, we may need up to two additional months to complete our response to your request.
You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of alleged infringement, if you consider that the processing of your personal data by us or the way we respond to your inquiries infringes applicable data protection laws. A list of data protection supervisory authorities is available here. http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
5.1. Accessing your Data
You have the right to request access to your personal data (including receiving a copy thereof) as well as additional information about the processing.
In case you discover factual inaccuracies with the respect to the personal data we hold with respect to you, you may request a correction to make such data factually accurate.
5.3. Right to Erasure
You are entitled to have your personal data erased under specific circumstances, such as where you have withdrawn your consent, where you object to processing based on legitimate interests and we do not have overriding legitimate grounds (see below) or where personal data is unlawfully processed, provided that applicable law does not provide otherwise. Please be advised that it may not be technologically possible to remove from our systems immediately every record of your personal data. The need to back up our systems to protect information from inadvertent loss means that a copy of your personal data may exist in a non-erasable form that may make it difficult or impossible for us to locate or remove immediately.
5.4. Right to Restriction of Processing
You have the right to restrict the processing of your personal data (that is, allow only its storage) where:
– you contest the accuracy of the personal data, until the Sponsor or we have taken sufficient steps to correct or verify its accuracy;
– where the processing is unlawful but you do not want the Sponsor or us to erase the personal data;
– where the Sponsor no longer needs your personal data for the purposes of the processing, but you require such personal data for the establishment, exercise or defence of legal claims; or
– where you have objected to processing justified on legitimate interest lawful grounds (see below), pending verification as to whether the Sponsor has compelling legitimate grounds to continue processing.
Where your personal data is subject to such a restriction of processing, we will only process it with your consent or for the establishment, exercise or defence of legal claims.
5.5. Right to Object to Processing
5.5.1. Processing based on legitimate interest grounds
Where we rely upon legitimate interests to process personal data (which includes processing of all data for which we have not obtained your explicit consent), you have the right to object to that processing. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we needs to process the personal data in question for the establishment, exercise or defence of legal claims, or applicable law requires otherwise.
5.5.2. Right to object to direct marketing (including profiling)
While we do not use your personal data for direct marketing, you have the right to object to our use of your personal data (including profiling) for direct marketing purposes.
5.6. Data Portability
You have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine-readable format, and may also require us to transmit such data to another controller where this is technically feasible.
6. Contacting Us
We welcome any queries, comments, complaints or requests you may have regarding this Privacy Notice. Please do not hesitate to contact us at:
- Attn: Gordon Kessler, General Counsel, Corporate Security Officer
- 19 West 24th Street, 11th Floor
- New York, NY 10010
AiCure has appointed 2B Advice GmbH as its European GDPR Data Protection Officer. You can reach them by sending an email to email@example.com.
Changes to this Notice
If we alter our Privacy Notice, you can review any changes at this web location.