Effective December 14, 2020
On July 16, 2020 the Court of Justice of the European Union issued an opinion invalidating the US-EU Privacy Shield (Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems or “Schrems II”). Medpace acknowledges that decision and has taken action to comply with the CJEU opinion and current guidance from the EU. However, Medpace also remains committed to the goals of the Privacy Shield program, and hopeful that a new agreement may be put in place between the US and EU.
1.1 The mission of Medpace, Inc., and its global affiliates (“Medpace”) is to accelerate the global development of safe and effective medical therapeutics. Pursuant to this mission, Medpace conducts clinical trials on behalf of Sponsors. At all times Medpace is committed to conducting clinical trials in a manner that strictly adheres to all national and international ethical requirements and clinical trial regulations. Effective adherence to clinical trial regulations requires the gathering, recording, processing, storing, and transmitting of personal data of clinical trial participants, clinical trial investigators, vendors, support staff, and employees.
1.2 Medpace is committed to respecting the privacy of individuals of all nationalities in the processing of their personal data, recognizing the fundamental rights to lawfulness, fairness, and transparency. Medpace adheres to the principles of data privacy by design and by default, including data minimization to the extent possible. Medpace adheres to laws relating to data protection in all jurisdictions in which it conducts business, including but not limited to HIPAA, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Protection Act, and the United Kingdom Data Protection Act of 2018.
2. Personal Data of Clinical Trial Subjects
2.1 Medpace processes pseudonymized medical and health information about the individuals who take part in clinical trials. This information is collected by investigators and their staff at the study sites. Medpace may transmit this data from the jurisdiction in which it was collected to Medpace headquarters in the United States. When consent is required for the processing of personal data, the physician investigators overseeing the trial are responsible for ensuring that the individuals understand and consent to the gathering of sensitive personal data relating to their health, including the transfer of such pseudonymized information to third parties who may be providing services for the clinical trial.
2.2 Pursuant to Opinion 03/2019 of the European Data Protection Board, Medpace declares that the processing of personal data of EU citizens participating in a clinical trial is necessary for the performance of a task carried out in the public interest. Specifically, the processing of sensitive categories of data is carried out for reasons of public interest in the area of public health, and/or for scientific purposes in accordance with Article 89(1) of the GDPR.
3. Personal Data of Business Partners
3.1 Medpace collects personal data from business partners and vendors who are providing services to a clinical trial. This processing is necessary for the fulfillment of Medpace’s contracts with these individuals and their employers, and may be required for submission of clinical trial data to governmental and regulatory authorities, IRBs, and ethical committees. The basis for collection of physician investigator data is the fulfillment of a legal obligation related to ensuring that investigators are qualified to oversee a clinical trial. The basis for collecting site and investigator staff information is the fulfillment of a contract between Medpace (directly or on behalf of the Sponsor) and the site. When applicable, Medpace complies with all obligations to provide transparency notices about the processing or transfer of this personal data.
4. IT and Security Procedures
4.1 Medpace has in place physical, electronic and organizational procedures to safeguard and secure personal data stored on its systems. Medpace deploys encryption, firewalls, access controls, and other procedures to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Access to Medpace facilities is controlled via a combination of technical and physical controls. Medpace maintains a disaster recovery plan and system back up plan in the event that its systems are damaged or destroyed. All employees receive training on security and are required annually to review and understand global data protection standards applicable to Medpace.
4.2 Personal data of clinical trial subjects is stored in a proprietary computer system known as ClinTrak™ which only authorized individuals can access on a need to know basis and with access records maintained in an audit trail. Access to other personal data is restricted to authorized employees on a need to know basis.
4.3 Medpace may store some business records or clinical trial documents in hard copy (paper or disk) format, as required by law or regulation, or pursuant to the fulfilment of a legitimate business purpose. Medpace has in place a document retention policy, pursuant to which documents are retained for the minimum time necessary, and then securely destroyed. Long-term storage of hard copy documents may be carried out by a qualified third-party vendor.
5. Transfer of Personal Data
5.1 Transfer to Third Parties
5.2 Transfer to Third Countries
5.2.1 Medpace has self-certified its compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. This includes personal data collected on our website, personal data that may be provided for clinical trials, personal data collected from employees, and personal data collected from investigators, their staff, and third-party vendors. Medpace adheres to the seven Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity, Access, and Recourse, Enforcement and Liability as they relate to personal data. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
5.2.2 Personal data may be transferred to a third country outside of the E.E.A. Transfers to third countries not deemed adequate by the EU are made according to the principles of appropriate safeguards as outlined in Article 46 of the GDPR.
6. Rights to Access and Choice
6.3 Clinical trial participants should contact the study site at which they participated in the clinical trial, or the Principal Investigator of the study, to enquire about their rights under applicable data privacy laws. The rights available to a clinical trial participant may be limited pursuant to an exception to the applicable data privacy law to preserve the integrity or scientific value of the data collected.
7. Rights to Enforcement and Recourse
7.1 In compliance with the Privacy Shield Principles, Medpace commits to resolve complaints about our collection or use of personal information. E.E.A. and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should contact Medpace’s Data Protection Officer at privacy@Medpace.com or at 5375 Medpace Way, Cincinnati, OH 45227. Medpace agrees to respond to the complaint within 30 days of its receipt. For any complaints that cannot be resolved with Medpace directly, Medpace agrees to cooperate with the panel established by the E.U. Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner. As a last resort, if the complaint is not resolved, the Privacy Shield framework provides for binding arbitration before a Privacy Shield Panel made up of three neutral arbitrators. EU and Swiss citizens who pursue resolution of a data protection dispute under the Privacy Shield mechanism will not be charged by Medpace. However, each party will bear its own costs of pursuing binding arbitration.
7.2 Medpace adheres to the applicable provisions of the California Consumer Protection Act. Residents of California may have a private right of action in the event of a data breach. Pursuant to California law, affected individuals must first notify Medpace of the alleged violation and provide Medpace 30 days to cure the violation.
8. How to Contact Medpace
8.1 For more information about Medpace’s commitment to protecting data privacy, or to exercise any rights you may have under applicable data privacy laws, please contact Medpace at firstname.lastname@example.org, by telephone at 1 (513) 579-9911, or by mail at 5375 Medpace Way, Cincinnati, Ohio 45227 United States of America, Attn: Data Protection Officer.