Medpace Global Privacy Policy

Revised January 2020

1. Introduction

1.1 The mission of Medpace, Inc., and its global affiliates (“Medpace”) is to accelerate the global development of safe and effective medical therapeutics. Pursuant to this mission, Medpace conducts clinical trials on behalf of Sponsors. At all times Medpace is committed to conducting clinical trials in a manner that strictly adheres to all national and international ethical requirements and clinical trial regulations. Effective adherence to clinical trial regulations requires the gathering, recording, processing, storing, and transmitting of personal data of clinical trial participants, clinical trial investigators, vendors, support staff, and employees.

1.2 Medpace is committed to respecting the privacy of individuals of all nationalities in the processing of their personal data, recognizing the fundamental rights to lawfulness, fairness, and transparency. Medpace adheres to the principles of data privacy by design and by default, including data minimization to the extent possible. Medpace adheres to laws relating to data protection in all jurisdictions in which it conducts business, including but not limited to HIPAA, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Protection Act, and the United Kingdom Data Protection Act of 2018.

1.3 Privacy Shield.

Medpace, Inc. and all Medpace US affiliates, including Medpace Reference Laboratories, LLC, Medpace Bioanalytical Laboratories, LLC, Medpace Clinical Pharmacology, LLC, Medpace Medical Device, Inc., Medpace Clinical Research, LLC, Medpace Research, Inc., and Medpace Core Laboratories, LLC have self-certified its compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. This includes personal data collected on our website, personal data that may be provided for clinical trials, personal data collected from employees, and personal data collected from investigators, their staff, business partners, and third-party vendors. Medpace adheres to the seven Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity, Access, and Recourse, Enforcement and Liability as they relate to personal data. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

2. Personal Data of Clinical Trial Subjects

2.1 Medpace processes pseudonymized medical and health information about the individuals who take part in clinical trials. This information is collected by investigators and their staff at the study sites. Medpace may transmit this data from the jurisdiction in which it was collected to Medpace headquarters in the United States. When consent is required for the processing of personal data, the physician investigators overseeing the trial are responsible for ensuring that the individuals understand and consent to the gathering of sensitive personal data relating to their health, including the transfer of such pseudonymized information to third parties who may be providing services for the clinical trial.

2.2 Pursuant to Opinion 03/2019 of the European Data Protection Board, Medpace declares that the processing of personal data of EU citizens participating in a clinical trial is necessary for the performance of a task carried out in the public interest. Specifically, the processing of sensitive categories of data is carried out for reasons of public interest in the area of public health, and/or for scientific purposes in accordance with Article 89(1) of the GDPR.

3. Personal Data of Investigators and Business Partners

3.1 Medpace collects personal data from business partners and vendors who are providing services to Medpace. This processing is necessary for the fulfillment of Medpace’s contracts with these individuals and their employers and may be required for submission of clinical trial data to governmental and regulatory authorities, IRBs, and ethical committees. The basis for collection of physician investigator data is the fulfillment of a legal obligation related to ensuring that investigators are qualified to oversee a clinical trial. The basis for collecting site and investigator staff information is the fulfillment of a contract between Medpace (directly or on behalf of the Sponsor) and the site. When applicable, Medpace complies with all obligations to provide transparency notices about the processing or transfer of this personal data. When consent for the collection or processing of personal data is required, it is the obligation of the data controller (the study site or employer) to obtain consent or provide notice to its employees and staff.

4. IT and Security Procedures

4.1 Medpace has in place physical, electronic and organizational procedures to safeguard and secure personal data stored on its systems. These procedures are documented in a Data Privacy Impact Assessment. Medpace deploys encryption, firewalls, access controls, and other procedures to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Access to Medpace facilities is controlled via a combination of technical and physical controls. Medpace maintains a disaster recovery plan and system back up plan in the event that its systems are damaged or destroyed. All employees receive training on security and are required annually to review and understand global data protection standards applicable to Medpace.

4.2 Personal data of clinical trial subjects is stored in a proprietary computer system known as ClinTrak™ which only authorized individuals can access on a need to know basis and with access records maintained in an audit trail. Access to other personal data is restricted to authorized employees on a need to know basis.

4.3 Medpace may store some business records or clinical trial documents in hard copy (paper or disk) format, as required by law or regulation, or pursuant to the fulfilment of a legitimate business purpose. Medpace has in place a document retention policy, pursuant to which documents are retained for the minimum time necessary, and then securely destroyed. Long-term storage of hard copy documents may be carried out by a qualified third-party vendor.

5. Transfer of Personal Data

5.1 Transfer to Third Parties

5.1.1 Personal data may be shared with third parties to fulfill the purposes for which the data was originally collected. Personal data is transferred to third parties pursuant to contractual obligations consistent with Article 28(4) of GDPR when applicable, and with this Global Privacy Policy. Medpace has responsibility for the processing of personal data that it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Medpace may remain liable if its agent processes such personal data in a manner inconsistent with the Privacy Shield Principles, unless the organization proves that it is not responsible for the event giving rise to the harm.

5.2 Transfer to Third Countries

5.2.1 Personal data may be transferred to a third country outside of the E.E.A. Transfers to third countries not deemed adequate by the EU are made according to the principles of appropriate safeguards as outlined in Article 46 of the GDPR, including Medpace’s Privacy Shield certification.

6. Rights to Access and Choice

6.1 Medpace is committed to cooperating to the full extent of applicable law in the exercise of the rights of data subjects. Any data subject who wishes to exercise his or her rights under applicable data privacy law, or to inquire about the processing of his or her data by Medpace, should contact Medpace pursuant to Section 8 of this Global Privacy Policy.

6.2 EU and Swiss citizens whose data is processed by Medpace have a right to be informed of the choices and means available for limiting the use and disclosure of their personal data. EU and Swiss citizens may have the right to access, modify, or suppress their personal data, to elect not to have personal data transferred to a third party, or to object to their personal data being used for any purpose materially different from that disclosed to them, or stated within this Global Privacy Policy. Upon request, Medpace will honor the request to access, modify, suppress, prevent or stop transferring, or delete an individual’s personal data to the extent reasonably possible. Medpace may, pursuant to the law, disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

6.3 Clinical trial participants should contact the study site at which they participated in the clinical trial, or the Principal Investigator of the study, to enquire about choices and means available for limiting the use and disclosure of their personal data under applicable data privacy laws. The rights available to a clinical trial participant may be limited pursuant to an exception to the applicable data privacy law to preserve the integrity or scientific value of the data collected.

7. Rights to Enforcement and Recourse

7.1 The Federal Trade Commission has jurisdiction over Medpace’s compliance with the Privacy Shield pursuant to its investigatory and enforcement powers. In compliance with the Privacy Shield Principles, Medpace commits to resolve complaints about our collection or use of personal information. E.E.A. and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Medpace’s Data Protection Officer at privacy@Medpace.com or at 5375 Medpace Way, Cincinnati, OH 45227. Medpace agrees to respond to the complaint within 30 days of its receipt. For any complaints that cannot be resolved with Medpace directly, Medpace agrees to cooperate with the panel established by the E.U. Data Protection Authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner. As a last resort, if the complaint is not resolved, the Privacy Shield framework provides for binding arbitration before a Privacy Shield Panel made up of three neutral arbitrators. EU and Swiss citizens who pursue resolution of a data protection dispute under the Privacy Shield mechanism will not be charged by Medpace. However, each party will bear its own costs of pursuing binding arbitration. For more information about the option to pursue binding arbitration, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

7.2 Medpace adheres to the applicable provisions of the California Consumer Protection Act. Medpace does not sell personal data. Residents of California may contact Medpace pursuant to Section 8 below to enquire about the collection of their personal information, including any request to delete personal information. Residents of California may have a private right of action in the event of a data breach. Pursuant to California law, affected individuals must first notify Medpace of the alleged violation and provide Medpace 30 days to cure the violation.

8. How to Contact Medpace

8.1 For more information about Medpace’s commitment to protecting data privacy, or to exercise any rights you may have under applicable data privacy laws, please contact Medpace at privacy@medpace.com, by telephone at 1 (513) 579-9911 (Cincinnati local), +1 (800) 730-5779 (USA toll free) or by mail at 5375 Medpace Way, Cincinnati, Ohio 45227 United States of America, Attn: Data Protection Officer.