Medpace Global Privacy Policy

EFFECTIVE JULY 16, 2020

1. Introduction

The mission of Medpace, Inc., and its global affiliates (“Medpace”) is to accelerate the global development of safe and effective medical therapeutics. Pursuant to this mission, Medpace conducts clinical trials on behalf of Sponsors. At all times Medpace is committed to conducting clinical trials in a manner that strictly adheres to all national and international ethical requirements and clinical trial regulations. Effective adherence to clinical trial regulations requires the gathering, recording, processing, storing, and transmitting of personal data of clinical trial participants, clinical trial investigators, vendors, support staff, and employees.

Medpace is committed to respecting the privacy of individuals of all nationalities in the processing of their personal data, recognizing the fundamental rights to lawfulness, fairness, and transparency. Medpace adheres to the principles of data privacy by design and by default, including data minimization to the extent possible. Medpace adheres to laws relating to data protection in all jurisdictions in which it conducts business, including but not limited to HIPAA, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Protection Act, and the United Kingdom Data Protection Act of 2018. The Privacy Shield framework has been invalidated by the Court of Justice of the European Union as of July 16, 2020. Medpace remains certified and in good standing, and continues to adhere to the underlying core values of the Privacy Shield program.

CALIFORNIA RESIDENTS: Medpace adheres to the applicable provisions of the California Consumer Protection Act. Medpace does not sell personal data. Residents of California may contact Medpace pursuant to Section 8 below to enquire about the collection of their personal information, including any request to delete personal information.

2. Personal Data of Clinical Trial Subjects

2.1 Medpace processes pseudonymized medical and health information about the individuals who take part in clinical trials. This information is collected by investigators and their staff at the study sites. Medpace may transmit this data from the jursidiction in which it was collected to Medpace headquarters in the United States. When consent is required for the processing of personal data, the physician investigators overseeing the trial are responsible for ensuring that the individuals understand and consent to the gathering of sensitive personal data relating to their health, including the transfer of such pseudonymized information to third parties who may be providing services for the clinical trial.

2.2 Pursuant to Opinion 03/2019 of the European Data Protection Board, Medpace declares that the processing of personal data of EU citizens participating in a clinical trial is necessary for the performance of a task carried out in the public interest. Specifically, the processing of sensitive categories of data is carried out for reasons of public interest in the area of public health, and/or archived for scientific purposes in accordance with Article 89(1) of the GDPR.

3. Personal Data of Investigators and Business Partners

3.1 Medpace collects personal data from business partners and vendors who are providing services to Medpace. This processing is necessary for the fulfillment of Medpace’s contracts with these individuals and their employers, and may be required for submission of clinical trial data to governmental and regulatory authorities, IRBs, and ethical committees. The basis for collection of physician investigator data is the fulfillment of a legal obligation related to ensuring that investigators are qualified to oversee a clinical trial. The basis for collecting site and investigator staff information is the fulfillment of a contract between Medpace (directly or on behalf of the Sponsor) and the site. When applicable, Medpace complies with all obligations to provide transparency notices about the processing or transfer of this personal data. When consent for the collection or processing of personal data is required, it is the obligation of the data controller (the study site or employer) to obtain consent or to provide notice to its employees and staff.

4. IT and Security Procedures

4.1 Medpace has in place physical, electronic and organizational procedures to safeguard and secure personal data stored on its systems. These procedures are documented in a Data Privacy Impact Assessment. Medpace deploys encryption, firewalls, access controls, and other procedures to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Access to Medpace facilities is controlled via a combination of technical and physical controls. Medpace maintains a disaster recovery plan and system back up plan in the event that its systems are damaged or destroyed. All employees receive training on security and are required annually to review and understand global data protection standards applicable to Medpace.

4.2 Personal data is restricted to authorized individuals, who only can access it on a “need to know” basis for study purposes and with access records maintained in an audit trail.

4.3 Medpace may store some business records or clinical trial documents in hard copy (paper or disk) format, as required by law or regulation, or pursuant to the fulfilment of a legitimate business purpose. Medpace has in place a document retention policy, pursuant to which documents are retained for the minimum time necessary, and then securely destroyed. Long-term storage of hard copy documents may be carried out by a qualified third-party vendor.

5. Transfer of Personal Data

5.1 Transfer to Third Parties

Personal data may be shared with third parties to fulfill the purposes for which the data was originally collected. Personal data is transferred to third parties pursuant to contractual obligations consistent with Article 28(4) of GDPR when applicable, and with this Global Privacy Policy.

5.2 Transfer to Third Countries

Personal data may be transferred to a third country outside of the EU or European Economic Area. Transfers to third countries not deemed adequate by the EU are made according to the principles of appropriate safeguards as outlined in Article 46 of the GDPR. Medpace, Inc. and all Medpace US affiliates, comply with the requirements of the EU to provide adequate safeguards for personal data transferred from EU or Switzerland to the United States. This includes personal data collected on our website, personal data that may be provided for clinical trials, personal data collected from employees, and personal data collected from investigators, their staff, business partners, and third-party vendors. Medpace is commited to protecting the rights of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity, Access, and Recourse, Enforcement and Liability as they relate to personal data.

6. Rights to Access and Choice

6.1 Medpace is committed to cooperating to the full extent of applicable law in the exercise of the rights of data subjects. Any data subject who wishes to exercise his or her rights under applicable data privacy law, or to inquire about the processing of his or her data by Medpace, should contact Medpace pursuant to Section 8 of this Global Privacy Policy.

6.2 EU and Swiss citizens whose data is processed by Medpace have a right to be informed of the choices and means available for limiting the use and disclosure of their personal data. EU and Swiss citizens may have the right to access, modify, or suppress their personal data, to elect not to have personal data transferred to a third party, or to object to their personal data being used for any purpose materially different from that disclosed to them, or stated within this Global Privacy Policy. Upon request, Medpace will honor the request to access, modify, suppress, prevent or stop transferring, or delete an individual’s personal data to the extent reasonably possible. Medpace may, pursuant to the law, disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

6.3 Clinical trial participants should contact the study site at which they participated in the clinical trial, or the Principal Investigator of the study, to enquire about choices and means available for limiting the use and disclosure of their personal dataunder applicable data privacy laws. The rights available to a clinical trial participant may be limited pursuant to an exception to the applicable data privacy law to preserve the integrity or scientific value of the data collected.

7. Rights to Enforcement and Recourse

7.1 Data subjects have a right to lodge a complaint with the appropriate EU supervisory authority, and also a right to an effective judicial remedy against infringing controllers and processors.

7.2 Residents of California may have a private right of action in the event of a data breach. Pursuant to California law, affected individuals must first notify Medpace of the alleged violation and provide Medpace 30 days to cure the violation.

8. How to Contact Medpace

8.1 For more information about Medpace’s commitment to protecting data privacy, or to exercise any rights you may have under applicable data privacy laws, please contact Medpace at privacy@medpace.com, by telephone at 1 (513) 579-9911 (Cincinnati local), +1 (800) 730-5779 (USA toll free) or by mail at 5375 Medpace Way, Cincinnati, Ohio 45227 United States of America, Attn: Data Protection Officer.