Home / Privacy at Worldwide / Global Privacy Policy

Global Privacy Policy

Table of Content

Download PDF Document Of Worldwide Global Privacy Policy

1. Introduction and Purpose
2. Definitions
3. Privacy Principles
4. Personal data that we collect
5. How we protect your personal data
6. Your rights as a Data Subject
7. How long we retain your personal data
8. Information about our online practices
9. Cookie Policy
10. Additional information for residents of California
11. Data Privacy Framework Statement
12. Changes and Updates
13. How to Contact Us

1. Introduction and Purpose

The mission of the Data Privacy department is to ensure that Worldwide Clinical Trials and its corporate affiliates (“Worldwide”) complies with all legal, regulatory, ethical, and contractual obligations related to the protection of personal data; meets or exceeds customer expectations with industry-leading privacy processes; and protects the rights and freedoms of participants in clinical trials.

The purpose of this Global Privacy Policy (the “Policy”) is to demonstrate our commitment to the Seven Principles of Data Privacy by employing a program of accountability and continuous improvement, and to provide adequate notice and transparency of our privacy practices to data subjects. Worldwide adheres to the principles of “privacy by design and by default”, in line with Article 5 of the GDPR, which requires that personal data be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject; and (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

2. Definitions

Consent: freely given, specific, informed, and unambiguous indication of your wishes by which you signify agreement with the processing of personal data relating to you.

Data Protection Officer (“DPO”): a person or entity, officially appointed to monitor and advise on a company’s compliance with the GDPR and other applicable data protection laws.

Data Subject: an identified or identifiable natural person whose personal data are processed.

GDPR: The General Data Protection Regulation, European Regulation 2016/679 of 27 April 2016 (“on the protection of natural persons with regard to the processing of personal data and the free movement of such data”). For the purposes of this Policy, “GDPR” also applies to comparable privacy laws in the United Kingdom, Switzerland, and Serbia to the extent that they have the same or substantially similar provisions.

IP Address: a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP).

Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Process or Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Privacy Principles

We abide by the Seven Principles of Privacy Protection. These Principles are:

  • Guaranteeing lawfulness, fairness, and transparency in all communications
  • Confirming there is a valid purpose for collecting any personal data
  • Limiting personal data collection to only that which is necessary
  • Verifying that personal data is accurate
  • Diligently adhering to effective data retention policies
  • Ensuring personal data is handled with integrity and confidentiality
  • Ensuring accountability in all activities involving personal data

Alignment with the Principles is built into how we operate and how we interact with data subjects. We believe in data privacy by design and by default, and ensure that all of our systems and processes take the Principles into account.

4. Personal data that we collect

Category of Data SubjectTypes of Data CollectedSensitive Data CollectedPurpose of the ProcessingLegal Basis for ProcessingTransfer to third parties
Clinical Trial ParticipantsPseudonymized (coded) health data, date of birth, initials, demographic data, race/ethnicity, genderYesConducting a clinical trial, compliance with legal, ethical, and safety requirementsLegitimate Interest of the sponsor of the clinical trial

Legal obligation imposed on the sponsor of the clinical trial

Public Interest

Consent		Yes, to vendors or the sponsor as required to carry out the clinical trial or to submit trial results to ethical, regulatory or safety authorities
Prospective Clinical Trial ParticipantsPseudonymized (coded) health data, date of birth, initials, demographic data, race/ethnicity, genderYesTo determine eligibility to participate in a clinical trialLegitimate Interest of the sponsor of the clinical trial

Public Interest

Consent		Yes, as required for ethical, regulatory or safety authorities
Clinical Trial Site StaffName, contact information, CV/resume, financial information for paymentNoTo provide a list of potential sites/investigators to Sponsors

To determine ability to conduct the clinical trial

To manage the clinical trial, including payment as applicable

To include investigator’s data in Worldwide databases		Legitimate Interest of Worldwide

Legitimate Interest of the sponsor of the clinical trial

Legal obligation imposed on the sponsor of the clinical trial
Consent

Fulfillment of a legal or regulatory obligation

Fulfillment of a contract		Yes, to vendors or the sponsor as required to carry out the clinical trial or to submit trial results to ethical, regulatory or safety authorities
Business PartnersName, contact information, financial information for paymentNoConducting business operations, ensuring compliance with legal, ethical, and safety requirementsConsent

Fulfillment of a legal or regulatory obligation

Fulfillment of a contract		Study-related vendors: Yes, to Worldwide staff in the US for payment or management purposes, to other vendors or the sponsor as required to carry out the clinical trial or to submit trial results to ethical, regulatory or safety authorities

Corporate vendors: Yes, Worldwide staff in the United States for payment or management purposes, or to legal or governmental authorities as required by applicable law.
Job ApplicantsName, contact information, CV/resumeNoTo determine ability to fulfill the requirements of a job postingConsent

Fulfillment of a legal or regulatory obligation (only in jurisidictions where this is required by law)		Yes, to vendors who confirm eligibility and qualifications
Employees & Former employees, including current or former consultants and contractorsName, contact information, CV/resume, educational background and transcripts, background check information (only if permitted by law), job performance information, race/ethnicity (only if required by law), date of birth (only if required by law), current and previous salary information, financial and bank account information, vaccination status, information required to provide health care or other social benefits, information required to administer medical or family leave (to the extent required by law), trade union membership (only if required by law).YesTo ensure a qualified workforce

To administer employee payroll and benefits

To fulfill legal requirements under applicable employment or other applicable laws

To ensure a safe and healthy workplace		Consent

Fulfillment of a legal or regulatory obligation (only in jurisidictions where this is required by law)

Fulfillment of a legal or regulatory obligation

Legitimate Interest of Worldwide		Yes, to vendors who provide services to Worldwide, including payroll, benefits, and other services, or to legal or governmental authorities as required by applicable law.

Also to Worldwide staff in the US for payment or management purposes, to other vendors or the sponsor as required to carry out the clinical trial or to submit trial results to ethical, regulatory or safety authorities
Information of children under 16N/A (except when a child is a clinical trial participant or potential clinical trial participant with the consent of a parent or legal representative)

Worldwide does not intend for children under 16 to use this website and does not knowingly solicit or retain any personal information of children under the age of 16.		N/AN/AN/AN/A

5. How we protect your personal data

We will inform you of our privacy practices, including the purposes for which we collect and use your Personal Data, the people or types of people who will have access to it, including the types of third parties who may have access to your Personal Data, and the choices and means, if any, you have for limiting the use and disclosure of your Personal Data.

When we are Processing Personal Data as a data processor (for example, as a CRO on behalf of client or sponsor), we will only use your Personal Data according to the privacy notices and instructions issued by those entities who determine the purpose and means of the Processing.

When required or permitted by applicable law, we obtain your consent before the collection, use or disclosure of your Personal Data. To the extent we can under applicable law, we will respect your choices and requests to limit the collection, use, transfer or other Processing of your Personal Data.

If we are processing your Personal Data based on your consent, you have the right to withdraw your consent at any time and no additional Personal Data will be collected from you. We may be able to retain and continue to use your Personal Data under certain circumstances, such as to demonstrate the safety or efficacy of the investigational drug in a clinical trial, for legal or regulatory purposes, to defend ourselves in a legal claim, or for other reasons permitted under applicable data privacy laws.

We will only carry out international transfers of Personal Data within or outside of our group of affiliated companies and agents, when we have implemented adequate safeguards and reasonable privacy controls for such information in compliance with applicable laws.

We may be required under applicable law to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We have analysed the risks of transferring data to our various affiliates, and have committed to ensuring adequate safeguards and supplementary measures are in place to ensure Personal Data remains protected.

We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf. We take reasonable and appropriate steps, including execution of written contracts, to require third-party agents and service providers to only process Personal Data in accordance with applicable law and the principles contained in this Global Privacy Policy. We will provide a summary or representative copy of relevant privacy provisions of our contracts with a third party upon request.

We implement appropriate administrative, physical, and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We evaluate any potential security incident/personal data breach, and report any unauthorized disclosure of Personal Data as required by and in accordance with applicable laws.

We will ensure that Personal Data is accurate, complete and relevant for its intended use. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

When we are processing Personal Data on behalf of a data controller (for example, as a CRO on behalf of client or sponsor), we will act according to the instructions of and contractual terms in place with the data controller to support the data controller’s obligations under the Data Use, Integrity & Retention principle.

We will only collect and Process Personal Data that is relevant and necessary to fulfill the purpose for which it was collected.

We will retain Personal Data only as long as necessary or required to fulfil the purpose of the collection. Clinical trial participant data will be retained according to applicable clinical trial regulations, which may as long as 25 years in some jurisdictions.

When we Process Personal Data on behalf of a data controller (for example, as a CRO on behalf of client or sponsor), we will act according to the instructions of and contractual terms in place with the data controller to support the data controller’s obligations under the Purpose Limitation principle.

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the our Data Protection Officer at any of the locations or addresses listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy and requirements under applicable law.

Data subjects are also eligible to seek recourse and enforcement by contacting the data protection authorities in your country of residence. More information can be found below.

6. Your rights as a Data Subject

RightFull ApplicabilityPartial/Limited Applicability
To be InformedClinical Trial Staff, Job Candidates, Employees & Former employees, including current or former consultants and contractorsClinical Trial Participants (enrolled or prospective)
AccessClinical Trial Staff, Job Candidates, Employees & Former employees, including current or former consultants and contractorsClinical Trial Participants (enrolled or prospective)
Rectification and CorrectionClinical Trial Staff, Job Candidates, Employees & Former employees, including current or former consultants and contractorsClinical Trial Participants (enrolled and prospective) (subject to applicable legal requirements)
ErasureJob CandidatesClinical Trial Staff, Clinical Trial Participants (enrolled and prospective), Employees & Former employees, including current or former consultants and contractors (subject to applicable legal requirements)
Restriction of ProcessingJob CandidatesClinical Trial Staff, Clinical Trial Participants (enrolled and prospective), Employees & Former employees, including current or former consultants and contractors (subject to applicable legal requirements)
Data PortabilityClinical Trial Staff (subject to applicable legal requirements)Job Candidates, Employees & Former employees, including current or former consultants and contractors (subject to applicable confidentiality requirements), Clinical Trial Participants (enrolled and prospective) (subject to applicable legal requirements)
To Object to ProcessingJob CandidatesClinical Trial Staff, Clinical Trial Participants (enrolled and prospective), Employees & Former employees, including current or former consultants and contractors (subject to applicable legal requirements)
To Object to Automated DecisionmakingClinical Trial Staff, Clinical Trial Participants (enrolled or prospective), Job Candidates, Employees & Former employees, including current or former consultants and contractorsN/A

7. How long we retain your personal data

The Personal Data of clinical trial participants will be retained according to applicable clinical trial laws, which in many cases will be for 25 years after the conclusion of the trial. The study doctor and the informed consent form will provide you with more information about the retention of study records which contain your Personal Data.

All other types of Personal Data retained by Worldwide will be maintained according to our data retention policies.

8. Information about our online practices

We may collect information when you visit our website, such as your media access control (MAC) address, computer operating system (Windows or MacOS), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, the name and version of the Sites you are using, and your IP Address.

Your IP Address may be automatically identified and logged in our server log files whenever you access our websites, along with the time of the visit and the page(s) that you visited. We use IP Addresses to calculate usage levels of the Sites, help diagnose problems with its servers, administer the websites, and monitoring the regions from which you navigate to our websites.

Where permitted by law, we use web analytics services, which currently include Google Analytics and Crazy Egg Analysis Service.

Google Analytics is a web analytics service provided by Google Inc. (“Google“). Google Analytics uses cookies and similar technologies to analyze how users use the domains. The information generated about domain usage (including your shortened IP Address) is transmitted to Google in the U.S. This information is used to evaluate visitors’ use of the domain, compile statistical reports on domain activity, and provide other services related to the Site and Internet use. Google may also collect information about domain visitors’ use of other websites. For more information about Google Analytics, or to opt out of Google Analytics, please go to: www.analytics.google.com. Crazy Egg’s Analysis Service is a web analytics service that gives us data about where users are clicking on our site. You can visit Crazy Egg’s privacy policy at: www.crazyegg.com/privacy  and their opt-out feature at: www.crazyegg.com/opt-out.

Do Not Track: Worldwide does not recognize automated browser signals regarding tracking mechanisms, which may include ‘do not track’ instructions.

A cookie is a small text file that is placed on your hard drive by a web page server. Cookies contain information that can later be read by a web server in the domain that issued the cookie to you. Some of the cookies will only be used if you use certain features or select certain preferences, and some cookies will always be used.

We and our marketing partners, affiliates, and analytics and service providers use cookies and other technologies to ensure everyone who uses the websites has the best possible experience.

When you visit our websites, we may place a number of cookies in your browser. These are known as First Party Cookies and are required to enable to hold session information as you navigate from page to page within the website. For example, we use cookies on our websites to understand visitor and user preferences, improve their experience, and track and analyze usage, navigational and other statistical information. You can control the use of cookies at the individual browser level. If you elect not to activate the cookie or to later disable cookies, you may still visit our websites, but your ability to use some features or areas of the websites may be limited.

If you want to learn more about cookies, or how to control, disable or delete them, please visit www.aboutcookies.org for detailed guidance. In addition, certain third party advertising networks, including Google, permit users to opt out of or customize preferences associated with your internet browsing. To learn more about this feature from Google, click here: www.adssettings.google.com/authenticated

10. Additional information for residents of California

This section applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”) and any terms defined in the CCPA or CPRA have the same meaning when used in this Privacy Statement.

Information We Collect:

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information“).

Personal information does not include:

Publicly available information from government records, deidentified or aggregated consumer information, information excluded from the CCPA’s scope, including health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data.

In particular, we may have collected the following categories of personal information from consumers within the last twelve (12) months:

  • Identifiers, such as your name, username, email address, or IP address.
  • Categories of personal information described in subdivision (e) of California Civil Code Section 1798.80, such as your name and address.
  • Characteristics of protected classifications under California or federal law, such as your age.
  • Commercial information, such as your purchase records (if any).
  • Internet or other electronic network activity information, such as cookies, web logs, and information about how you use our website.
  • Biometric information.
  • Geolocation information
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information, such as your company name and address and any information that you provide in your job application with us.
  • Education information, such as your college records.
  • Inferences drawn from any of the information identified above, such as advertising profiles.

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Website.
  • From public sources.
  • From social networks, such as Facebook and Twitter, when you share our content on those platforms.
  • Health care organizations (e.g., physician practices, hospitals, clinics, pharmacies, payers).
  • Federal and state government organizations.
  • Professional associations or other organizations with which you are employed or affiliated.
  • Data brokers and/or data aggregators.
  • From other third-party sources, such as recruiters and employment websites.

Use of Personal Information:

We may use or disclose the personal information we collect for the purposes described in the Global Privacy Statement and Online Privacy Statement. We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information:

We may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed personal information for a business purpose to the categories of third parties: Worldwide corporate affiliates, agents/service providers, clients and business partners, regulatory or enforcement authorities, to protect our legal rights or comply with legal requirements or to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, third-party advertisers as described in our Online Privacy Statement, or other third parties with your prior consent.

We do not sell personal information.

Your Rights and Choices:

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Right to Know and Data Portability:

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • We do not provide a right to know or data portability disclosure for B2B personal information.

Right to Delete:

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the “right to delete”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.
  • We do not provide these deletion rights for B2B personal information.

Exercising Your Rights to Know or Delete:

To exercise your rights to know or delete described above, please submit a request by either:

  • Calling us at (855) 524 3133
  • Emailing us at data.protection@worldwide.com
  • Visiting worldwide.com/contact-us

Restrictions on the Right to Know or Delete

  • Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information.
  • You may also make a request on behalf of your minor child.
  • You may only submit a request twice within a 12-month period.
  • Your request to know or delete must:
  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

How we Will Respond to your Request:

  • We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in the request to verify the requestor’s identity or authority to make it. We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact data.protection@worldwide.com.
  • We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.
  • If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
  • Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
  • We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination:

We will not discriminate against you for exercising any of your CCPA or CPRA rights. Unless permitted by the CCPA or CPRA, we will not deny you services, charge you different prices or rates for services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of services, suggest that you may receive a different price or rate for services or a different level or quality of services.

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us as described above in this section.

This Privacy Statement does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals. Any such processing shall be subject to a separate employee privacy notice as applicable.

Additional information for residents of the Federation of Russia

Name of the operator: LIMITED LIABILITY COMPANY “WORLDWIDE CLINICAL TRIALS” (LLC “VKT”)

Operator’s address:
Location and Postal address: 188645, Leningrad Region, Vsevolozhsky District, Vsevolozhsk Gorod, Koltushskoe Shosse, 298, apt. 106

Contact information of the operator: Eduard.maximov@worldwide.com

Regions: Leningrad region; Moscow; St. Petersburg

Pursuant to Art. 23, 24 of the Constitution of the Russian Federation, Art. 86-90 of the Labor Code of the Russian Federation, the Federal Law “On Personal Data”, the Charter of LLC “VKT”, the Regulations on the processing of personal data in LLC “VKT” The purpose of processing personal data for the purpose of formalizing labor relations, maintaining personnel, accounting and management accounting, issuing VHI policies, concluding and executing civil law contracts with counterparties

Description of the measures provided for by Articles 18.1. and 19 of the Federal Law “On Personal Data”:

A person responsible for the organization of the processing of personal data has been appointed. Employees directly engaged in the processing of personal data are familiar with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the organization’s policy regarding the processing of personal data, local acts on processing issues personal data. The recovery of personal data modified or destroyed due to unauthorized access to them is ensured. Rules for access to personal data processed in the personal data information system have been developed.

Security features:

Anti-virus information protection tools are used, personal passwords are assigned to each workplace (specific employee). Safes are installed to store personal files of employees and personal data of individuals, lockable metal cabinets, fire alarms are installed, offices are located in buildings where the security system operates

Information on ensuring the security of personal data:

The places of storage of personal data (material carriers) have been determined. A list of persons processing personal data and having access to them has been defined. Separate storage of personal data (material carriers), the processing of which is carried out for various purposes, is ensured. Accounting of material carriers is ensured. The possibility of uncontrolled penetration or presence of unauthorized persons in the premises where work with personal data is carried out is excluded. The safety of personal data carriers and information protection means is ensured.

Date of commencement of personal data processing:

21.06.2005

Term or condition of termination of personal data processing:

Termination of the organization’s activities, as well as the conditions provided for by federal law No. 152.

Categories of personal data processed:

Surname, name, patronymic; year of birth; month of birth; date of birth; place of birth; address; marital status; social status; property status; education; profession; income; special categories of personal data: state of health; biometric personal data (photos in corporate systems), e-mail address, phone number.

Categories of data subjects:

Applicants, employees, former employees, close relatives of employees (for registration of voluntary health insurance), counterparties or representatives of counterparties (for the conclusion and execution of contracts)

Methods of processing personal data used by the operator:

Any action (operation) or a set of actions (operations) performed with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data. The processing of the above personal data will be carried out by a variety of means, with the transfer through the internal network of a legal entity via the Internet.

Cross-border transfer of personal data:

Information on the location of the database of information containing personal data of citizens of the Russian Federation:

Location 1

  • Country: Russia
  • Own data center: yes

Location 2

  • Country: United Kingdom
  • Own data center: no
  • Organization Name: The Sage Group PLC

Use of encryption (cryptographic) means:

Used only when required

Contact of the individual responsible for the organization of personal data processing:

Eduard Maximov postal addresses: 195112, Russia, St. Petersburg, Malookhtinsky pr. 64

Contact phone numbers: +7 812 346 8247

E-mail Address: Eduard.Maximov@worldwide.com

The information in this section has been submitted to the information system of Roskomnadzor on 31 August 2022. If you would like to receive a copy of this notice in the Russian language, please contact us at the address above, or contact Data.Protection@Worldwide.com.

11. Data Privacy Framework Statement

Effective 11 July 2023

This Data Privacy Framework Statement (“Statement”) has been produced by Worldwide Clinical Trials Holdings, Inc., its subsidiaries and affiliates (“Worldwide”) in connection with the transfer and protection of personal data received from data subjects located in the European Economic Area (EEA), Switzerland, and the United Kingdom (UK). Worldwide is located at 600 Park Offices Dr #200, Research Triangle Park, Durham NC 27709.

For the purposes of this Statement, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

To participate in the DPF program, Worldwide must publicly commit to comply with the DPF Principles. While the decision to self-certify to and participate in the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law. If there is any conflict between the terms in this Statement and the DPF Principles, the Principles shall govern. 

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit www.dataprivacyframework.gov/s/.

Scope

Worldwide provides global clinical trial services on behalf of clinical trial sponsors. In connection with providing these services to its customers, Worldwide processes personal data from individuals located in the EEA, UK, and Switzerland. This Statement applies to the collection, use, storage, transfer, and disclosure of personal data transferred from the EU, the UK, or Switzerland to Worldwide in the United States (“US”). Data subjects may include (i) clinical trial participants; (ii) clinical trial site staff; (iii) internet end users of Worldwide’s own websites and applications; or (iii) business contact information associated with our business customers and business partners such as vendors. Worldwide also adheres to the principles of the DPF with regard to the processing of its own employees’ and contractors’ personal data in its role as an employer.  

Application of Data Privacy Framework Principles

We will inform data subjects of our privacy practices, including the purposes for which we collect and use their personal data, the people or categories of people who will have access to it, and the choices and means, if any, they have for limiting the use and disclosure of your personal data.

When we are processing personal data as a data processor (for example, as a CRO on behalf of client or sponsor), we will only use personal data according to the privacy notices and instructions issued by those entities who determine the purpose and means of the processing.

When required or permitted by applicable law, we obtain consent before the collection, use or disclosure of personal data. To the extent we can under applicable law, we will respect the choices and requests of data subjects to limit the collection, use, transfer or other processing of their personal data.

In EEA member states which prohibit us from relying on consent for the processing of clinical trial participant data, we will rely on an alternative legal basis permitted under EU or Member State law. Clinical trial participants will at all times be provided with complete and transparent information related to the processing of their personal data during the informed consent process prior to participation in the clinical trial.

If we are processing personal data based on consent, the data subject has the right to withdraw their consent at any time and no additional personal data will be.

We may be able to retain and continue to use certain personal data under specific circumstances, such as to demonstrate the safety or efficacy of the investigational drug in a clinical trial, for legal or regulatory purposes, to defend ourselves in a legal claim, or for other reasons permitted under applicable data privacy laws.

We will only carry out international transfers of personal data within or outside of our group of affiliated companies and agents, when the recipient is located in a country that is the recipient of an adequacy decision, or when we have implemented adequate safeguards and reasonable privacy controls for such information in compliance with applicable laws.

Worldwide does not sell or share personal data with third parties except as described in our Global Privacy Policy.

We may be required under applicable law to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We may transfer personal data to our third-party agents or service providers who perform functions on our behalf. We take reasonable and appropriate steps, including execution of written contracts, to require third-party agents and service providers to only process personal data in accordance with applicable law and the principles contained in this Statement and our Global Privacy Policy. We will provide a summary or representative copy of relevant privacy provisions of our contracts with a third party upon request.

We implement appropriate administrative, physical, and technical safeguards to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We evaluate any potential security incident or personal data breach, and report any unauthorized disclosure of personal data as required by and in accordance with applicable laws.

We will ensure that personal data is kept accurate, complete and relevant for its intended use. We will take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.

When we are processing personal data on behalf of a data controller (for example, as a CRO on behalf of client or sponsor), we will act according to the instructions of and contractual terms in place with the data controller to support the data controller’s obligations under the Data Use, Integrity & Retention principle.

We will only collect and process personal data that is relevant and necessary to fulfill the purpose for which it was collected.

We will retain personal data only as long as necessary or required to fulfil the purpose of the collection. Clinical trial participant data will be retained according to applicable clinical trial regulations, which may as long as 25 years in some jurisdictions.

When we process personal data on behalf of a data controller (for example, as a CRO on behalf of client or sponsor), we will act according to the instructions of and contractual terms in place with the data controller to support the data controller’s obligations under the Purpose Limitation principle.

Worldwide has established internal mechanisms to verify its ongoing adherence to this Statement. Worldwide is subject to the investigatory and enforcement powers of the US federal government, including the Federal Trade Commission (FTC). Worldwide also encourages individuals covered by this Statement to raise any concerns about our processing of their personal data by contacting Worldwide’s Data Protection Officer at the address below. Worldwide will seek to resolve any concerns within thirty (30) days according to our internal SOPs.

Worldwide commits to cooperate with the panel established by the EEA data protection authorities (DPAs) and to comply with the advice given by the panel with regard to data transferred from the EEA. For personal data relating to Swiss individuals, Worldwide commits to cooperate with the Swiss Federal Data Protection and Information Commissioner (FDCIP) and to comply with the advice given by the FDCIP with regard to Swiss individual information transferred.

Worldwide commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and complies with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Worldwide commits to periodically reviewing and verifying the accuracy of this Statement and its compliance with the Principles, and remedying any issues identified. All employees of Worldwide that have access to personal data covered by this Statement in the US are responsible for conducting themselves in accordance with this Statement and with Worldwide policies and procedures. Failure of an employee to comply with Worldwide policies related to personal data may result in disciplinary action up to and including termination.

Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.

In compliance with DPF Principles, Worldwide commits to resolve complaints about our collection or use of your personal data within thirty (30) days, to respond to requests made by individuals to access or to limit the use and disclosure of their personal data.

Worldwide has chosen a panel of EU DPAs to serve as the Independent Recourse Mechanism for any complaints.

To issue a complaint, make a request to access your personal data or to limit the use and disclosure of your personal data, or for any other questions or concerns, please contact Worldwide’s Data Protection Officer at DPO@worldwide.com.

You may contact us at any time using any of the following methods:

Mail: 600 Park Offices Dr #200, Research Triangle, NC 27709

Telephone (toll-free): 1 (855) 524 3133

Data Protection Officer: DPO@worldwide.com

General privacy and data protection inquiries: data.protection@worldwide.com

Worldwide’s Data Representative in the European Union: WCT Clinical Research Spain, S.L.U, Calle Príncipe De Vergara, 112 4 ª. 28002, Madrid, Spain

If you are currently a participant in a clinical trial who wants to exercise any of your rights under the applicable privacy laws, please reach out to the study doctor or the clinical trial site coordinator (as detailed further in the Informed Consent Form for your study).

12. Changes and Updates

This Policy shall remain in place indefinitely and shall not be retired or eliminated without replacement. We reserve the right to make changes or updates to this Policy from time to time without notice. All changes will be published with the current effective date.

13. How to Contact Us

You may contact us at any time using any of the following methods:

Mail: 600 Park Offices Dr #200, Research Triangle, NC 27709

Telephone (toll-free): 1 (855) 524 3133

Data Protection Officer: DPO@worldwide.com

All privacy and data protection inquiries: data.protection@worldwide.com

Serbian inquiries: DPO_Serbia@worldwide.com

Worldwide’s Data Representative in the European Union:

WCT Clinical Research Spain, S.L.U, Calle Príncipe De Vergara, 112 4 ª. 28002, Madrid, Spain

If you are currently a participant in a clinical trial who wants to exercise any of your rights under the applicable privacy laws, please reach out to the study doctor or the clinical trial site coordinator (as detailed further in the Informed Consent Form for your study).

If you are a citizen of the European Union (EU), United Kingdom (UK), Serbia, or Switzerland, you may address any unresolved complaints with your respective data protection authority. For more information, access your local data protection authority at the following links:

EU Data Protection Authorities: edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner: ico.org.uk/make-a-complaint/

Commissioner for Information of Public Importance and Personal Data Protection (Serbia)

15, Bulevar kralja Aleksandra str, Belgrade 11120
Tel: +381 11 3408 900
Fax: +381 11 3343 379
Email: оffice@poverenik.rs

Office of the Federal Data Protection and Information Commissioner (Switzerland)

Feldeggweg 1
CH – 3003 Berne
Tel: +41 (0)58 462 43 95
Fax: +41 (0)58 465 99 96