Data Privacy Framework Policy

Purpose and Scope

This Policy is intended to align with the European Union General Data Protection Regulation (EU GDPR) and the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). The EU-US. DPF, UK Extension, and Swiss-U.S. DPF are collectively referred to as the “DPF”. In order to comply with GDPR we require to provide a legal basis for processing your personal data.

This Policy sets out the rules relating to the protection of individuals (customers, and clinical trial participants, and patients), as well as employees, consultants, contractors and vendors within the US, UK, EU, and Switzerland, with regard to the processing of their Personal Data (HR and non-HR data) by ClinQure, Inc ("ClinQure") or on its behalf (hereinafter the "Policy").

The implementation of any processing of Personal Data by ClinQure is subject to compliance with this Policy and any other relevant rules or applicable standard operating procedures ("SOPs") of ClinQure adopted for its implementation. This Policy protects all Personal Data relating to individuals, whether collected by ClinQure or disclosed to ClinQure by a third party.

Definitions

  • For the purposes of this Policy, the following terms are defined as follows:

"Personal Data" means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number (e.g., social security number), location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity (e.g., last name and first name, date of birth, biometrics, DNA, etc.) of that individual. Company registration numbers, generic email addresses (such as info@company.com), and anonymized data are not considered Personal Data.

"Processing" means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data).

"Data Controller" means any Employee or legal entity who has the authority to determine, alone or jointly with others, the purposes, conditions, and means of the processing of Personal Data on behalf of ClinQure.

"Data Processor" means any Employee or other individual, legal entity, public authority or similar body, including a third party, authorized to process Personal Data on behalf and under the direct authority of the Data Controller.

"Employee(s)" means any employee of ClinQure.

"Recipient" means the individual, legal entity, public authority or similar body to which Personal Data are disclosed.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Sensitive Data" means any data that is protected against unwarranted disclosure including genetic data, biometric data, data revealing racial or ethnic origin, data concerning health, sex life or sexual orientation, political opinions, trade-union membership, and religious or philosophical beliefs.

"Consent" means the freely given, specific, informed, and unambiguous permission expressed by an individual by which such individual agrees to the processing of his/her Personal Data. This consent is given either by a written statement or by a clear affirmative action.

"Data Protection Officer" means the Employee(s) or department designated, from time to time, by ClinQure to perform the duties listed in this Policy or assigned to such parties by decision of the officers of ClinQure.

“Data Privacy Framework” means the program developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for Personal Data transfers to the United States from the European Union (“EU”)/European Economic Area, the United Kingdom (“UK”) (and Gibraltar), and Switzerland that are consistent with EU, UK, Swiss law, and such other countries that conform to the framework. In the event privacy laws in other contrived do not comply or are less strict, ClinQure will upload these privacy policies.

“HR Data” refers to personal information about employees, past or present, collected in the context of the employment relationship. This includes data such as names, addresses, email addresses, telephone numbers, social security numbers, tax ID numbers, job titles, employment history, performance evaluations, disciplinary actions, training records, salary details, bank account numbers, tax information, benefits enrollment, medical records, health insurance details, information related to workplace injuries or illnesses, and sensitive personal information revealing race, ethnicity, religion, sexual orientation, and biometric information.

“Non-HR Data” refers to personal information collected outside the context of the employment relationship. This includes customer information such as names, addresses, telephone numbers, purchase history, and payment information; business partner data including contract details and communication records with vendors, suppliers, and collaborators; marketing data collected through marketing campaigns, surveys, and website analytics including IP addresses and online identifiers; research data collected for research purposes including patient specimens, clinical trial information, and de-identified health data; and sensitive personal information revealing race, ethnicity, religion, sexual orientation, and biometric information

PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF PERSONAL DATA (NOTICE)

  • Types of Personal Data.

ClinQure collects both HR and non-HR data. HR data includes employee information such as names, addresses, email addresses, telephone numbers, social security numbers, tax ID numbers, and other government-issued identifiers. It also includes employment records like job titles, employment history, performance evaluations, disciplinary actions, and training records; payroll information such as salary details, bank account numbers, tax information, and benefits enrollment; health information including medical records, health insurance details, and information related to workplace injuries or illnesses; and sensitive personal information (SPI) such as data revealing race, ethnicity, religion, sexual orientation, and biometric information.

Non-HR data collected by ClinQure includes customer information such as names, addresses, telephone numbers, purchase history, and payment information; business partner data including contract details and communication records with vendors, suppliers, and collaborators; marketing data collected through marketing campaigns, surveys, and website analytics including IP addresses and online identifiers; research data collected for research purposes including patient specimens, clinical trial information, and de-identified health data; and sensitive personal information (SPI) such as data revealing race, ethnicity, religion, sexual orientation, and biometric information.

  • Purpose of Collection

ClinQure shall have the right to process Personal Data provided to ClinQure by the Employee (HR data) or some other party to enable ClinQure to fulfill its legal and contractual obligations in its capacity as an employer or to take steps at the request of the Employee prior to entering a labor contract. These purposes include but are not limited to Human Resource Management activities carried out as part of the recruitment or the performance of an employment contract and include onboarding, termination of employment, scheduling and recording time, performance, compensation & benefits and training. As it relates to a prospective employment relationship, if a prospect is rejected, his or her data shall be deleted in accordance with ClinQure's Record Retention Policy, unless specified within the application process.

  • Types of Third Parties

Where ClinQure is not the data controller or cannot facilitate the processing of data due to the purpose of its collection, third parties may be identified. The type of third party used in data processing will be assessed to the standards of this Privacy Policy and chosen based on the applicability to process based on the purposes stated in section 3.2.

  • Processing of Personal Data
    • ClinQure shall ensure that Personal Data disclosed to ClinQure are collected and processed according to the principles expressed in this Policy.
    • ClinQure is committed to subjecting all Personal Data received from the EU and, as applicable, the UK (including Gibraltar), and Switzerland, to the DPF principles, in reliance on the relevant parts of the DPF program.
    • Personal Data shall be processed and used lawfully, fairly, and in a transparent manner (lawfulness, fairness, and transparency).
    • Personal Data shall be collected for specified, explicit, and legitimate purposes consistent with ClinQure's official activities (purpose limitation).
    • The Processing of Personal Data shall always be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected and/or further processed (data minimization).
    • Personal Data stored by ClinQure should be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that Personal Data which is inaccurate, regarding the purposes for which it is processed, are erased or rectified without delay (accuracy).
    • Personal Data shall be kept or stored for no longer than is reasonably necessary for the purposes for which they are processed or in use, or pursuant to ClinQure's applicable SOPs (storage limitation).
    • Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality).

Transfer of Personal Data

  • Personal Data may be transferred within ClinQure on the following conditions:
    • the Personal Data are necessary for compliance with requirements of the Recipient, or the performance of tasks covered by the activities of the Recipient;
    • only the Personal Data necessary for such compliance or performance shall be transferred;
    • the Recipient may process the Personal Data only for the purposes for which they are transferred.
  • ClinQure may transfer Personal Data to its partners, affiliated organizations, and other third parties with which ClinQure enters into an agreement, in the following cases where:
    • ClinQure’s partners, affiliated organizations, or other third parties observe this Policy and any other relevant rules which ClinQure may adopt for its implementation; or
    • sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by ClinQure’s partners, affiliated organizations or other third parties, to ensure a continuing level of security and protection consistent with this Policy and any other relevant rules which ClinQure may adopt for its implementation; or
    • the concerned individual has explicitly consented to the proposed transfer; or
    • the transfer is necessary for the establishment, exercise, or defense of legal claims; or
    • the transfer is necessary to protect the vital interests of the concerned individual; or
    • to allow ClinQure to achieve its legitimate goals and carry out its official activities.

Data Processors shall comply with the level of security and protection of the Personal Data set forth by this Policy to ensure the protection of the rights of individuals.

ClinQure will comply with the requirements to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

RIGHTS OF INDIVIDUALS (CHOICE & ACCESS)

Information to be Given to the Individuals

  • Upon request by the concerned individual, ClinQure shall provide the individual with the following information on the Processing of Personal Data to such individual:

    • the identity and the contact details of the Data Controller;
    • the contact details of the Data Protection Officer;
    • the purpose of the Processing for which the Personal Data are intended;
    • the categories of Personal Data concerned;
    • the Recipients or category of Recipients of the Personal Data;
    • where possible, the contemplated period for which the Personal Data will be stored, or, if not possible, the reason why no such period is fixed;
    • where applicable, the fact that ClinQure intends to transfer Personal Data to a partner of ClinQure, an affiliated organization or a third party and the reasons for such transfer; and
    • the existence of the right to request access, rectification, or erasure of Personal Data and to submit claims.

The section above shall not apply where providing such information proves impossible, would involve a disproportionate effort, or is unduly burdensome on ClinQure. In such instances, ClinQure shall take appropriate measures to protect the concerned individuals' rights and legitimate interests to the extent reasonably possible.

Right to Access, Corrections, and Deletion

Every individual shall have the right to obtain from the Data Controller at any time, on request, confirmation as to whether or not Personal Data relating to such individual are being processed, to the extent identifiable. Every individual shall have the right to access, correct, amend, or delete any personal information we have on file about you.

Right to Rectification and Erasure

ClinQure offers Individuals the opportunity where appropriate to (“opt-out”) whether their Personal Information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Individual. ClinQure will not process SPI about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual explicitly consents to the processing (“opt-in”), or as required or permitted, or where not prohibited by law or regulation.

In some cases, even if an Individual opts‐out of disclosures of their Personal Information, ClinQure may still disclose such Personal Information (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce ClinQure policies or contracts; (v) to collect amounts owed to ClinQure; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in the good faith belief that disclosure is otherwise necessary or advisable. ClinQure also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, ClinQure will endeavor to direct the transferee to use the Personal Information in a manner that is consistent with this Policy. ClinQure will provide Individuals with reasonable mechanisms to exercise their choices to the extent required by applicable law.

Right to Object

Every individual shall have at any time the right to submit a request objecting, on grounds relating to his or her particular situation, to the Processing of Personal Data concerning such individual. The Data Controller shall no longer process the Personal Data unless the Data Controller demonstrates that such Processing is necessary for the performance of the task while conducting ClinQure's official activities or in the framework of its missions or services.

ACCOUNTABILITY, ONWARD TRANSFER, SECURITY, DATA INTEGRITY, AND LIMITATIONS

Duties and Responsibilities of the Data Protection Officer.

  • The Data Protection Officer shall monitor the application of this Policy.
  • ClinQure will remain liable in cases of onward transfers to third parties.
  • ClinQure will subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the U.S. Department of the Treasury or any other U.S. authorized statutory body.
  • Cooperation of Data Controllers with the Data Protection Officer.
    • Data Controller(s) shall cooperate with the Data Protection Officer by assisting the Data Protection Officer and making available any information necessary for the Data Protection Officer to carry out tasks. Data Controller(s) shall involve the Data Protection Officer in the process of designing new information systems and to ensure that measures of data protection are built into those systems from the beginning.
  • Onward Transfer

    • In most situations, transfers to third parties are covered by the provisions in this policy regarding notice and choice. ClinQure does not sell or otherwise disclose individuals’ personal information, except as described in our privacy policies, in a notice provided to individuals at the time of collection, or as individuals explicitly consent. ClinQure may share individuals’ personal information with our service providers, consultants, and affiliates for our and our affiliates’ internal business purposes or to provide individuals with a requested service.

      ClinQure will endeavor to only transfer personal information to a third party/agent where such third party/agent has given assurances that it provides at least the same level of privacy protection as required by the DPF Principles and this policy and will notify ClinQure if it makes a determination that it can no longer meet this obligation. ClinQure may, for example, provide an individual's personal information to agents to host our databases, for data processing services, or to send to that individual the information that he or she requested. Where ClinQure has knowledge that an agent is using or disclosing personal information in a manner contrary to the DPF Principles and/or this policy, ClinQure will take reasonable steps to prevent or stop the use or disclosure. With respect to onward transfers to agents, the DPF requires that, to the extent it is responsible for the event, ClinQure shall remain liable should its agents process personal information in a manner inconsistent with the DPF Principles, and ClinQure accepts and shall follow this principle.

      Where ClinQure knows that any third party to whom it has provided personal information is using or disclosing personal information in a manner contrary to this policy and/or the DPF Principles, ClinQure will take reasonable steps to prevent or stop the use or disclosure. With respect to such onward transfers to agents, and to the extent ClinQure is responsible for the event, ClinQure shall remain liable should its agents process personal information in a manner inconsistent with the DPF Principles and this policy.

      In circumstances in which ClinQure obtains personal data as a service provider for its clients or affiliates, ClinQure’s clients or affiliates are responsible for protecting individual rights with respect to onward transfers. ClinQure has potential liability in cases of onward transfer to third parties of data of EU individuals received pursuant to the DPF Principles.

  • Security
    • ClinQure will take reasonable and appropriate technical, administrative, and physical measures to protect personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These precautions are designed to account for the risks involved in processing and the nature of the personal information, whether it is in electronic or physical form.
  • Integrity and Limitations
    • ClinQure uses personal information only in ways that align with the purposes for which it was originally collected or subsequently authorized by the individual. ClinQure takes reasonable steps to ensure that the personal information we use is reliable for its intended purpose, accurate, complete, and current for as long as we retain it. Our personnel are responsible for helping maintain accurate, complete, and current personal information.
    • Personal data is limited to what is necessary for the purposes of processing. We do not process personal information in ways that are incompatible with the purposes for which it was collected or subsequently authorized. ClinQure ensures that data is relevant and reliable for its intended use, and we take reasonable measures to maintain its accuracy and completeness.
    • ClinQure processes personal information that is relevant to the services we provide and only for purposes compatible with those for which the information was collected. In these situations, we work with our customers to ensure they can provide individuals with a way to correct or update their personal information.

SETTLEMENT OF CLAIMS (RECOURSE, ENFORCEMENT, AND LIABILITY)

  • Any individual may complain in writing to the Data Protection Officer privacy@clinqure.com about any matter relating to such individual's Personal Data, including any Personal Data Breach.
  • The Data Protection Officer shall notify officers of ClinQure or designated department of ClinQure regarding any such complaint received.
  • The Data Protection Officer must acknowledge receipt in writing and decide, with input and approval of those identified in Section 6.4, on the complaint within sixty (60) days of receipt. The Data Protection Officer may extend the time limit by thirty (30) days if the complaint requires further assessment. In such case, the Data Protection Officer shall give notice to the complainant.

DATA PRIVACY FRAMEWORK & COMPLAINT RESOLUTION MECHANISM

  • ClinQure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. ClinQure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. ClinQure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
  • The Federal Trade Commission has jurisdiction over ClinQure’s compliance with the EU-U.S. DPF and the UK Extensions, and the Swiss U.S. DPF.
  • In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ClinQure commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact ClinQure at: privacy@clinqure.com.
  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ClinQure commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
  • ClinQure further commits to resolve complaints by providing an independent dispute resolution mechanism. In compliance with the EU-US DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ClinQure commits to refer unresolved complains concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF to JAMS, an alternative dispute resolution provided based in the United States. If you do not receive timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit: https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
  • If any request remains unresolved, Individuals may, under certain circumstances, have a right to invoke binding arbitration under the DPF. For additional information, see https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

REVIEW AND AMENDMENT

  • ClinQure may at any time adopt specific rules and/or guidelines on any matter related to this Policy.
  • This Policy may be amended at any time upon the decision of the Managers or Officers of ClinQure.