This Policy applies to all Personal Information of individuals, either in electronic or paper format, received by Pivotal. All employees and third-parties handling Personal Data on behalf of Pivotal have the responsibility of ensuring the privacy and the security of the data in accordance with the EU Regulation 2016/679, of 27 April, General Data Protection Regulation (GDPR).
TYPES OF PERSONAL DATA
Personal Data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, for instance, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural o social identity of that natural person.
Pivotal as a full-service Clinical Research Organization (CRO), during the performance of its services, collects and analyses health data relating to study subjects on behalf of our clients. The data collected for the studies are identified by an alphanumeric code in a way that does not include information that can identify any subject through such data. Individuals in studies agree to share this sensitive information under the premise that data will be handled by Pivotal in compliance with laws on data protection and confidentiality. However, in this field, Pivotal acts as processor, since the sponsor of each clinical study is the controller, having the position of ultimate responsibility for data processing of study subjects.
Pivotal through the website C-Lys (https://www.c-lys.com/en) collects Personal Data of potential patients in the context of pre-selection for clinical studies. Data from registered subjects in C-Lys include contact details and depending of the type of study additional information related to health or lifestyle.
Health Professional Information
Pivotal collects Personal Data on the investigators and staff from the hospitals and institutions that take part in clinical studies. Pivotal uses this information to identify and contact physicians for participation in clinical studies. Pivotal requires the investigators and his/her staff to consent for the collection of their Personal Data, and be informed about their rights.
Employees and Human Resources Data
Pivotal collects personal information of its employees which is processed to carry out Human Resources activities. Data from applicants including contact details, professional qualifications and employment history are also collected for future processes of recruitment.
To access the information on Pivotal and its services offered on Pivotal´s website it is not necessary, in general, to fill in any registration form. We may receive personal information from you that can identify you, such as your name, telephone number, e-mail address, and other similar information when it is voluntarily submitted to us. You may be submitting your information to us through the link of the site that allows you to contact us.
Where processing is to be carried out on behalf of Pivotal by a third-party acting as processor, Pivotal requires that this third-party is fully committed to implement the adequate technical and organizational measures to protect the rights and freedoms of data subjects, and also to treat Personal Data only for the purpose of the said processing.
TRANSFERS OF PERSONAL DATA
Should it be considered appropriate to transfer the personal information to other entities, the individuals will be explicitly informed of the purpose of the file, the data transferred and the name and address of the assignee so that they may give their unequivocal consent to this, in particular, when the transfer of Personal Data is on an international basis outside the European Union.
CONSENT AND NOTICE
At the point of data collection, Pivotal will provide notice about the purposes for which this information is collected, how it will be processed, the conditions on the protection of personal information, what rights may be exercised, and who to contact with any question or complaint. Notice will be provided in clear and conspicuous language.
DATA INTEGRITY AND RECORD RETENTION
Data subjects are solely responsible that the information provided is accurate, complete, current, reliable and truthful and this exonerate Pivotal of any responsibility in this regard. Pivotal only collects the necessary amount of Personal Data that is required for business performance.
Pivotal retains personal information in accordance with contractual, legal and regulatory requirements.
EXERCISE OF THE RIGHTS
Data subjects may also exercise their rights at the Internet address email@example.com or by sending a letter to PIVOTAL, S.L. (Gobelas 19, 2nd floor, 28023 Madrid, Spain), quoting the Ref. PERSONAL INFORMATION, to the above-mentioned address. To exercise the said rights, it is necessary to prove the identity to Pivotal by sending a copy of a valid identity card.
The rights under the GDPR are the following:
- The right to be informed
- The right to withdraw consent
- The right of access
- The right of rectification
- The right to erasure (or “right to be forgotten”)
- The right to restrict processing
- The right to object
- The right to lodge a complaint to the Data Protection Control Authority
However, according to the Spanish Agency of Medicines and Medicinal Products (AEMPS), patients’ right to erasure has certain limits in the field of clinical research, since health data of clinical studies may not be deleted even if the data subject stops participating in the study, aiming to guarantee the validity of the research and to comply with the drugs authorisation requirements and legal obligations.
Pivotal has adopted security levels and measures for the protection of personal information by installing in its systems and files the technical, administrative and physical safeguards needed to guarantee that the information is processed confidentially, to prevent its loss, misuse, unauthorized access, disclosure, alteration and destruction. These measures will be based on a previous risk analyses of all data processing activities.
Pivotal seeking to comply with the accountability principle has appointed Mr. Ricardo De Lorenzo Aparici (partner of the law firm De Lorenzo Abogados) as Data Protection Officer (DPO), with registration number 170260/2018 in the Spanish Data Protection Control Authority.
PRIVACY BY DESIGN
Following the principle of accountability, Pivotal will implement the adequate measures to the design of each and every new data processing operation.
Pivotal periodically carries out a risk analysis of the processing activities of its records in order to control the hazards through the identification and assessment of the risks.
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
Impact assessment is the process of analyzing and mitigating or minimizing the data protection risks. A DPIA is carried out where a data processing is likely to result in a high risk to the rights and freedoms of the natural persons.
DPIA includes the following:
- The processing operations performed by Pivotal and their purposes.
- An assessment of the need for proportionality of these processing operations.
- An assessment of the risks to the data processed.
- Measures adopted to ensure data protection.
A Data Breach is defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. In this case, Pivotal will make the appropriate notification to the Data Protection Control Authority no later than 72 hours of its knowledge, in accordance with GDPR requirements.
QUERIES AND REQUESTS
To exercise informational rights or complaints, these can be addressed to the attention of Pivotal DPO to firstname.lastname@example.org.