This document aims to implement Personal Data processing and protection legislation requirements and to protect the rights and freedoms of individuals when Biotaware processes their Personal Data.
This Document has been drawn up in compliance with the requirements established in the General Data Protection Regulation and other legislation regulating processing and protection of Personal Data.
This document applies to processing and protection of Personal Data at Biotaware.
This Document is applicable to all Personal Data received or collected by Biotaware from customers, business partners, and other individuals, in any format, as part of Biotaware’ business operations.
Out of scope: HR Personal Data of Biotaware employees, which is covered by another Privacy Notice.
3. Definitions and abbreviations
3.1 Terms and Acronyms
· Availability – Making sure that information is available when and where it is rightly needed.
· Clinical Data– Defined in section 4.1
· Confidentiality – Protection of information from unauthorized access.
· Data Breach– Any event that has the potential to affect the confidentiality, integrity or availability of Personal Data held by Biotaware in any format.
· Data Subject– Any person whose Personal Data is being collected, held or processed.
· Integrity – Making sure that information is kept accurate and consistent unless authorized changes are made.
· Marketing Data– Defined in section 4.1
· Natural Person– Someone who can be identified, directly or indirectly.
· Personal Data –any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
· Sensitive Personal Data –data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
· User– any person who owns an account on Biotaware’ system.
· Users Data –Defined in section 4.1
4. Protecting and Processing Personal Data
4.1 Data Processed
The collection, processing, storage and use of Personal Data is essential in the context of many of Biotaware’ business functions.
Biotaware may collect the following Personal Data:
· Users Data
Data collected when a user interacts with our helpdesk service. When a user enters a request on our helpdesk service, the user is asked to provide following information: first name, last name, Email address and telephone number.
· Marketing Data
Data collected from visitors of our corporate website, such as information provided by filling in forms on the website (First Name, Last Name, Company and Email Address) or information automatically collected from website visitor’s device or web browser when interacting with our website. When a website visitor visits our website we place cookies in its browser, which allows us, by using the IP address, to track which pages the visitor views on our website and when.
Biotaware processes the following Personal Data:
· Clinical Data
Clinical data provided by Biotaware’ customers. These data may comprise Patient ID number, gender, age, date of birth, ethnical origin and patient health related data. These data are considered as pseudonymized sensitive Personal Data.
· Users Data
Data required for user accounts creation on Biotaware web application. These data are provided by customer and comprise first name, last name and Email address.
4.2 Purpose of data processing
Biotaware uses Personal Data only in ways that are compatible with the purposes for which it was collected.
· Users Data
We require users to submit their name, e-mail address, the name of their organization, and the country in which they are based on our helpdesk service, so we may send the material the users have requested and to enable us to reply to users’ request.
· Marketing Data
We use the information website visitors give by filling in forms on our website to provide them with commercial and company news messages via email relating to Biotaware and its products and services.
We use the information we collect from website visitor’s device to track the pages that they read on our website for marketing purposes, in order to identify their key areas of interest to send them relevant communications.
· Clinical Data
Clinical Data and Users Data will be maintained for a period of time needed to fulfil legitimate and lawful business purposes in accordance with our records retention policies and applicable laws and regulations. Marketing Data will be maintained for an undefined period of time in accordance with applicable laws and regulations. Data subjects may exercise their rights defined in section 4.6 at any time.
4.3 Lawfulness and fairness
4.3.1 Processing of Personal Data
We only collect data for specified, explicit and legitimate purposes and will only process data on lawful and fair grounds.
We rely on following legal aspects to collect and process Personal Data:
· Clinical Data
The data subject has given consent: Biotaware processes clinical data as Processor and is therefore not responsible to demonstrate that the data subject has consented to processing of his or her Personal Data. It is the responsibility of Biotaware’ customer to obtain consent from the data subjects.
· Users Data
To perform a contract to which the data subject is a party: we require user Personal Data to create an account on our web application or to allow our helpdesk to answer to user.
· Marketing Data
For legitimate business purposes: information collected through website visitors’ use of our corporate website is useful for us to better understand their needs and how we can improve our products and services.
We will only process the data for a purpose compatible with the purpose for which the Personal Data are initially collected. In case the purpose of collecting, processing and using the Personal Data is changed from the original purpose, the new processing will be done in accordance with a lawful ground and we will provide the data subjects with information on that other purpose prior to that further processing.
4.3.2 Processing of Sensitive Personal Data
Sensitive data are limited to Clinical Data. The processing of sensitive data is performed in scope of Biotaware operations. Ethnical origin and clinical data concerning health are required for our operational activities. Processing of sensitive Personal Data is allowed pursuant to the lawful ground “consent from the data subject”. Clinical data are not collected directly by Biotaware. Clinical data are collected by Biotaware’ customers. It is the responsibility of Biotaware’ customer to obtain consent from the data subjects.
4.4 Data Protection
Biotaware takes the appropriate and necessary organizational and technical security measures to protect the data and privacy of data subjects from whom data have been collected, in order to prevent the loss, disclosure, unauthorized use, alteration or destruction of information we receive.
The principle of pseudonymisation is applied for clinical data. Biotaware customers are informed that they cannot upload patient personally identifiable information such as name, social number or biometric data on the Biotaware web application. Patient identifiers are used and Biotaware does not own the key that link a patient identifier to a patient name.
We make sure that the principle of data minimisation is applied in all our activities.
· All clinical data collected for the operational activities are relevant, adequate and necessary for evaluating the quality, accuracy, and integrity of clinical trial data.
· Data collected for the creation of user on our web application is strictly limited to what is necessary.
4.4.3 Organizational measures
We have implemented organizational measures to ensure protection of Personal Data:
· Logical access control and principle of least privileges and separation of duties: Personal Data are stored and processed on secured servers and only made accessible to authorized personnel.
· Training: to ensure any Biotaware’ employee who has access to Personal Data is kept up to date on necessary skills and knowledge (i.e. technical, scientific, computer, quality, regulatory, others) required for his/her job and will only process Personal Data according to appropriate instructions.
All Biotaware employees must sign of a confidentiality agreement when joining the company.
4.4.4 Technical measures
We have set technical measures to ensure protection of Personal Data. Such measures may include, but are not limited to: network monitoring, the encryption of communications via SSL, encryption of information while it is in storage, firewalls, access controls, and similar security protocols.
4.5 Third parties sharing
We may transmit the information we collect from and about data subjects with other sub-contractors to provide specific services to clients such as hosting and helpdesk
· No information is disclosed to our hosting provider. Our hosting provider only maintain data in an encrypted state and does not have access to data.
· Users’ first name, last name, telephone number and e-mail address are disclosed to our helpdesk service.
Where Biotaware engages another processor for carrying out specific processing activities, the same data protection obligations are imposed. This is ensured by contracts and assessments/audits. In case the new processor has access to Personal Data, the clients need to be informed and consulted about the intention to outsource the processes/services.
Biotaware has contracts in place with all sub-contractors to define the acceptable use policy and the service level agreement and to set forth the terms and conditions of any works or services performed by the sub-contractors.
In addition, we may disclose personal data as required by law or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
4.6 Data Subject Rights
We commit to allow any person for whom we possess Personal Data to access their Personal Data, to rectify their Personal Data and to limit use and disclosure of their Personal Data. We also commit to assist our customer to respond to a request for exercising data subject’s rights where feasible.
4.6.1 Right to rectification, erasure and restriction of processing
Data subjects for whom Biotaware owns Personal Data can at any time make a request for rectification. In the same way, data subjects can request at any time the restriction of the processing of their data or the erasure of their Personal Data. In case Personal Data are rectified, modified or in case processing of Personal Data is restricted, Biotaware will make sure to communicate the information to each recipient to whom Personal Data have been disclosed.
To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice. We will respond to such requests within a reasonable timeframe.
In some circumstances, a request for data rectification, erasure or restriction of processing may be rejected by Biotaware. In case of the latter, the reason of rejection will be communicated to the concerned data subject.
4.6.2 Right to access
Data subjects for whom Biotaware owns Personal Data can request at any time access to their Personal Data. In case of a Personal Data request, Biotaware commits to transmit Personal Data in structured, commonly used and machine-readable formats. A secured method must be used while transmitting data.
To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice.
We will respond to such requests within a reasonable timeframe.
4.7 Contact Detail
Biotaware commits to reply any question, handle any request or resolve any complaint about our collection or use of Personal Data. European Union individuals with inquiries or complaints regarding our Privacy Notice should first contact Biotaware at: email@example.com.
4.8 Right to lodge a complaint
Any person has the right to lodge a complaint to the Data Protection Authorities if they believe that Biotaware has not complied with the requirements of the GDPR with regard to their Personal Data. Biotaware commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel.
To lodge a complaint data subjects can contact their country-specific data protection authority or Biotaware’ lead data protection supervisory authority:
ICO. Information Commissioner’s Office
Tel. 0303 123 1113
Live Chat: ico.org.uk/livechat
Under certain circumstances, a data subject may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.
4.9 Changes to Privacy Notice
We may change this Privacy Notice. Any changes to this Privacy Notice will become effective when we post the revised Privacy Notice on the website. This Privacy Notice has been last updated and becomes effective as of April 25th 2019.