Please note that we may provide additional privacy notices or similar disclosures in respect of certain entities within Pharmaron group, certain categories of data subjects (e.g., certain former or existing employees associated with Pharmaron), and certain geographies and jurisdictions. In addition, Pharmaron also implements a series of information security policies and procedures to safeguard the security and confidentiality of our and our clients’ sensitive business information, trade secrets as well as other data.
- Pharmaron’s Role in Personal Information Processing
Where Pharmaron collects Personal Information about individuals such as employees, job applicants, website users, business contacts for Pharmaron’s own business purposes, it acts as the handler (i.e., controller) of such Personal Information. Pharmaron will provide the individual data subjects with the relevant information and notices, obtain their consent and/or establish other lawful processing grounds in accordance with the applicable laws.
Where Pharmaron collects, processes Personal Information in connection with the services provided by Pharmaron under an engagement with a client (including when acting as a CRO processing Personal Information on behalf of and under the direction of a client), the relevant client is the handler of the Personal Information. The client will be responsible for providing appropriate notice to the individuals, obtaining any requisite consent and/or establishing other lawful processing grounds (unless this function has been delegated to Pharmaron); Pharmaron, as the “entrusted party” of its client, will process such Personal Information in accordance with the instructions of the client, and only for such purpose and in such manner as approved by the client.
- Principles and Lawful Processing Grounds
We are committed to collecting and processing Personal Information in a manner consistent with the applicable laws and regulations as well as the needs of and our promises to the clients, and upholding the highest ethical standards in our business practices. We adhere to the principles of lawfulness, legitimacy, necessity and good faith, purpose limitation, data minimization, transparency, quality and accuracy, accountability, security etc. when processing Personal Information.
We collect and process Personal Information based on one or more of the following legal grounds as permitted by the applicable laws of the relevant jurisdictions where we operate (such as the Personal Information Protection Law of China, the EU GDPR, the UK GDPR, the applicable Maryland state and U.S. federal laws etc.):
- consent given by the data subjects to the processing of their Personal Information for one or more specific purposes, including with respect to the processing of sensitive Personal Information;
- to perform legal duties or legal obligations, for example, to respond to and comply with requests from governmental, regulatory, tax and law enforcement authorities;
- to conclude or perform a contract with the data subjects;
- to implement human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
- to respond to public health emergencies, or to protect the data subjects’ life, health, and property safety under emergency circumstances;
- processing, within the reasonable scope, of Personal Information for the public interest;
- processing, within the reasonable scope and in accordance with the applicable laws, of Personal Information that has been made public by the data subjects or through other lawful means; and/or
- other circumstances prescribed by laws and administrative regulations.
- Sources of Personal Information
Pharmaron may collect Personal Information from the following individuals:
- employees, directors, officers, contractors, workers, agents, representatives, job applicants of Pharmaron and any and all of their respective family members, dependents;
- business contacts, employees, directors, officers, contractors, workers, agents and other individual representatives of Pharmaron’s clients, customers, suppliers, consultants, advisers and other service providers;
- visitors to Pharmaron’s websites and users of any digital services Pharmaron provides;
- healthcare professionals;
- individuals participating in research studies that Pharmaron manages as a CRO or otherwise participates in, including patients, their spouses/partners, care givers, and relatives, clinical investigators or other study personnel, and other individual consultants, contractors, managers, and agents of the study sponsor and its corporate affiliates, business partners and third-party service providers;
- Pharmaron may also collect Personal Information from public sources or receive Personal Information from business partners and third parties.
- Categories of Personal Information Processed by Pharmaron
We collect and process the following Personal Information:
- individual details: name, address, other contact details (e.g., email and telephone details), gender, date and place of birth, job title, employment history, medical records and health related information, bank accounts.
- identification details: identification numbers issued by government bodies or agencies (e.g., passport number, ID number, driver’s license number etc.).
- financial information: bank account number and account details, income and other financial information.
- medical and health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history.
- other sensitive Personal Information: as defined under the applicable laws, including information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.
- marketing data: whether or not the individual has consented to receive marketing from us and from third parties.
- website and communication usage: details of individuals’ visits to our website and information collected through cookies and other tracking technologies, including, but not limited to, IP address and domain name, browser version and operating system, traffic data, location data, web logs and other communication data, and the resources accessed by the individual user.
- How and For What Purposes Pharmaron Processes Personal Information
We collect and process Personal Information for a variety of reasonable and legitimate business purposes.
- Research Studies-Related Information. For individuals participating in research studies that Pharmaron manages as a CRO or in other situations where Pharmaron is participating in research studies, including patients, their spouses/partners, care givers, and relatives, clinical investigators, and other representatives, employees, advisors, contractors, and agents of the sponsor and its affiliates, business partners and service providers, their Personal Information may be used in order to carry out the applicable studies and other study-related services, clinical trials, real world studies, and/or pharmacovigilance etc..
- Health Care Professionals. Pharmaron collects and uses Personal Information of health care professionals in connection with various health care activities, including clinical trials, real world studies of patient treatment, health care outcomes analysis, market research activities, etc.
- Customers and Program Participants. For individuals who inquire about or otherwise use our products or services (e.g., opportunities to participate in clinical research, health care education and patient support programs), we will use their Personal Information in order to provide the requested information, products, and/or services.
- Labor and Human Resources Management. For individuals who are current or former employees, job applicants, directors, supervisors, officers, contractors etc. of Pharmaron, we will process their Personal Information to carry out and support our human resources functions and activities, including without limitation evaluation of suitability of the applicant for a position, administration and management of employees, compensation, stock options, grants and purchase plans, bonuses, retirement, training, and career planning, communication with employees or their emergency contacts, travel and expense planning and reimbursement, management of employee performance, and implementation, investigation and reporting on compliance and discipline procedures and matters, etc..
- Business Contacts. For individuals who are business contacts of Pharmaron, Pharmaron will collect and use their Personal Information for purposes consistent with the provision of information by these contacts, which may include marketing activities focused on sales of new products and services, requests to participate in market research that enhance Pharmaron’s products and services, and other business activities.
- Data Analytics and Research. In certain situations, Pharmaron collects and processes Personal Information for various data analytics and research purposes.
- Other Legitimate Purposes. Pharmaron may also collect and process Personal Information for other legitimate purposes, including but not limited to:
- complying with legal or regulatory obligations, court orders or legal processes; in response to lawful requests by public authorities; or under discovery process in litigation;
- performing a contract with the data subject or to take steps at the data subject’s request before entering into a contract;
- communicating with data subjects;
- performing activities relating to client management, financial management and administration;
- creating, improving and developing our products and services;
- conducting market research, surveys, data analytics, and similar inquiries to help us understand trends, client and website user needs;
- investigating and resolving disputes and security issues and enforcing the relevant agreements;
- monitoring and auditing compliance with internal policies and procedures, legal obligations and satisfying requirements and orders of regulatory authorities;
- improving the quality of our services, sending communications about the products and services; and
- enabling our business partners and agents to perform certain activities on our behalf.
We will not use Personal Information for any purposes inconsistent with those notified to data subjects or permitted under the applicable laws.
- Disclosure, Sharing and Cross-Border Transfer of Personal Information
Pharmaron stores Personal Information and other client data on secure servers in accordance with the applicable laws.
When acting as the handler of Personal Information, we provide Personal Information to, or permit access to Personal Information by, certain “Recipients” in Appendix 1. Some Recipients are located in places outside of the jurisdiction where the data is collected or generated. When transferring Personal Information internationally, Pharmaron will meet the applicable requirements under the applicable laws and regulations on cross-border transfers of Personal Information.
When acting as an entrusted party processing Personal Information on behalf of a client, we may disclose or transfer the Personal Information in accordance with the instructions of the relevant client (being the handler of such Personal Information). This may include the transfer of such Personal Information to the applicable study sponsor, its affiliates, business partners and third-party service providers performing services related to the study (e.g., data management, safety monitoring, etc.). We will take appropriate organizational and technical security measures to ensure the security of the Personal Information being processed and transferred, and provide the client with necessary and reasonable assistance in complying with the applicable laws and regulations in relation to such data transfers.
- Security Measures
Personal Information held by us will be kept confidential in accordance with applicable Pharmaron policies and procedures. We have in place organizational and technical security measure appropriate to the sensitivity and risk of the Personal Information we process. These measures will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Information, and include measures designed to keep Personal Information protected from loss, misuse and unauthorized access, disclosure, alteration and destruction.
If appropriate, the safeguards include the encryption of communications, encryption of information during storage, de-identification and pseudonymization, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Information to personnel and third parties that require access to such information for legitimate, relevant business purposes.
Where we have given the data subject (or where the data subject has chosen) a password which enables him or her to access certain parts of our systems or websites, the data subject is responsible for keeping this password confidential and for complying with any other security procedures that we notify him or her of. We ask the data subject not to share a password with anyone.
- Breach Notification
We have an information security incident response program designed to promptly respond to and escalate all information security issues, complaints, concerns, including any potential information security incident and data breaches. We will report information security incidents and data breaches to the regulatory authorities and data subjects when required under applicable laws, and assist the client in complying with its notification or reporting obligations under the applicable laws when acting as a CRO or otherwise processes Personal Information for and on behalf of the client.
- Protection of Client Data
We take seriously the obligation to safeguard Personal Information and other client data. When acting as a CRO or otherwise processes Personal Information for and on behalf of the client, we will take necessary and appropriate organizational, technical, administrative, procedural, electronic as well as physical security measures to safeguard the security of the client’s data, in accordance the applicable laws and regulations, and the relevant policies and guidelines of the client and Pharmaron.
Pharmaron will assist its clients in complying with the applicable data protection laws, including entering into necessary data processing agreements and/or standard contractual clauses, which may set out the scope, purpose, method and duration of Pharmaron’s data processing, the categories of Personal Information processed and rights of data subjects, Pharmaron’s confidentiality obligations as an entrusted party, cooperation regarding inquiries and requests from data subjects and authorities, international data transfers, use of sub-processors, storage and deletion of data, security measures and personal data breach handling procedures.
- Data Subject Rights
We strive to maintain Personal Information that is accurate, complete and current. Individuals should contact us using the contact details at the “Contact Information” section below to update their information.
In addition, we respect the following rights of the data subjects in accordance with the applicable laws:
- right to be informed of our processing activities and to make decisions with respect to their Personal Information in accordance with the applicable laws;
- right to consult and copy their Personal Information;
- right to correct or supplement their Personal Information if the information we hold is inaccurate or incomplete;
- right to request us to delete any Personal Information that we no longer have a lawful ground to use; if deletion is technically unfeasible or we are required by law to keep the information longer, we will stop all processing activities in connection with the Personal Information except for storing the same by taking necessary security measures;
- right to refuse or restrict the processing of their Personal Information in accordance with the applicable laws;
- right to request us to explain our processing rules for Personal Information;
- right to request us to transfer their Personal Information to the Personal Information handler they designate when the legal conditions for such transfer are satisfied; and
- right to request us to explain decisions that have significant impact on their rights and interests and are made through automated decision-making technologies, and to refuse decisions made solely via automated decision-making technologies.
- The exercise of these rights is subject to certain exemptions and limitations required or permitted by law and a reasonable fee may be charged if permitted under applicable laws. If you exercise any of these rights, we will check your entitlement and respond in most cases within 30 days.
- In the circumstances in which Pharmaron acts as a CRO or processes Personal Information as an entrusted party for its client, the study sponsor, investigator, or Pharmaron’s client is responsible for providing the individual data subjects (e.g., the participants of the study) with access to their Personal Information and the right to correct, amend or delete the data. In these circumstances, data subjects should direct their questions and requests to the appropriate study sponsor, investigator, or Pharmaron’s client.
- Personal Information Retention and Deletion
Our retention periods for Personal Information are based on business needs and legal requirements. We keep Personal Information for no longer than necessary in relation to the purposes for which we collect and use the Personal Information. After the relevant purposes are realized, we will either (a) delete or irreversibly anonymize the Personal Information, or (b) stop all processing activities in connection with the Personal Information (except for storing the same and necessary security measures), if deletion is technically unfeasible or we are legally required to keep those data for a longer period of time.
- Contact Information
Pharmaron (Beijing) Co., Ltd.
6 Taihe Road
BDA, Beijing, 100176