SYNTACTX’S NOTICE OF CERTIFICATION UNDER THE EU-­US PRIVACY SHIELD FRAMEWORK

Policy

Syntactx respects the privacy of all individuals. Protecting privacy is important to us and as part of our commitment, Syntactx complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and Switzerland to the United States. Syntactx has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Scope

This Privacy Policy outlines our general policy and practices for implementing the Privacy Shield Principles, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding their Personal Information. This Privacy Policy applies to all Personal Information received by Syntactx in the performance of services to its customers as a Clinical Research Organization “CRO” including Personal Information related to healthcare professionals and clinical study participants. This policy also applies to data collected from employees, customers, business partners and Syntactx websites.

Definitions

  • “Agent” means any third party that collects or uses Personal Information under the instructions of Syntactx or to which Syntactx discloses Personal Information for use on Syntactx’s behalf.
  • “European Union (EU)” means, for the purposes of this Policy, all countries within the European Economic Area (EEA).
  • “Individual” means any natural person located in the European Union or Switzerland whose Personal Information is shared with Syntactx in the United States.
  • “Personal Information” means any information or set of information that (1) is transferred from the EU or Switzerland to the United States; and (2) is recorded in any form; and (3) is about, or pertains to, a specific individual; and (4) identifies the individual or could be used by or on behalf of Syntactx to identify an individual. Personal Information does not include information that has been anonymized or public information that has not been combined with Personal Information.
  • “Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, data concerning a person’s sex life or sexual orientation, or information relating to the commission of a criminal offence.
  • “Personnel” means an individual employed by Syntactx, or an affiliate located in one of the EU member countries.
  • “Syntactx” means Syntactx, LLC, Syntactx Technologies, and its subsidiaries in the United States.

Privacy Principles

Where Syntactx collects Personal Information directly from individuals in the EU or Switzerland, Syntactx will inform them of the purposes for which it collects and uses Personal Information about them, the types of third parties to which Syntactx discloses that information, and the choices and means, if any, Syntactx offers individuals for limiting the use and disclosure of their Personal Information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Syntactx, or as soon as practical thereafter, and in any event before Syntactx uses the information for a purpose materially different than that for which it was originally collected.

Where Syntactx is the recipient of Personal Information from subsidiaries, affiliates or other entities within the EU or Switzerland, including when acting as a CRO processing Personal Information under the direction of a customer, it will use the information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.

Types of Personal Information collected, purposes of collection and uses of Personal Information:

Research Studies: For Individuals participating in research studies being managed by Syntactx as a CRO, including patients, their spouses/partners, caregivers, relatives, clinical investigators, or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third-party service providers, Personal Information may be used in order to carry out the applicable studies and other study-related services. This may include the transfer of such Personal Information to the applicable study sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).

Human Resources: For individuals who are personnel, Syntactx will process Personal Information to carry out and support its human resources functions and activities, including but not limited to, employment opportunities, personnel recruitment and onboarding, administration of personnel participation in benefits, compensation and human resources plans, programs and applications, management of personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. Syntactx may provide Personal Information to Agents to support Syntactx in performance of these human resources-related activities.

Core Services: For individuals sharing Personal Information with Syntactx to inquire about or otherwise make use of its services or purchase, receive or seek information and or opportunities to participate in clinical research, Syntactx will use such Personal Information in order to provide the requested information, products, and/or services. Such uses may include processing requested transactions, improving the quality of services, sending communications about the products and services available through Syntactx, and enabling Syntactx business partners and Agents to perform certain activities on its behalf.

Syntactx may also use the Personal Information collected above to comply with legal and regulatory obligations, policies and procedures, and for internal administrative purposes.

Choice

Syntactx offers individuals the opportunity to choose (opt out) whether their Personal Information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.

For sensitive information, Syntactx will give individuals the opportunity to affirmatively express consent (opt in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Syntactx will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive.

Accountability for Onward Transfers

Syntactx may share Personal Information with contracted third parties or other agents of the study sponsor as required to successfully complete client activities or to meet business needs. These third parties must also comply with the Notice and Choice Principles and Syntactx will contract with these parties such that the data shared may only be processed for limited and specified purposes consistent with the consent provided by the individual. Syntactx ensures that any third party to which Personal Information may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by the Principles and agree in writing to provide an adequate level of privacy protection. In cases of onward transfer to third parties of Personal Data received pursuant to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, Syntactx is potentially liable.

Compelled Disclosure

Syntactx may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security

We are committed to ensuring that your information is secure. Syntactx takes reasonable precautions through physical, technical and administrative procedures to safeguard and secure Personal Information in its possession from loss, misuse, unauthorized access or disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information Syntactx is processing.

Data Integrity & Purpose Limitation

Syntactx will only use Personal Information in a way that is consistent with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Syntactx will take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use and for the duration it is held by Syntactx.

Access

On request, Syntactx will provide individuals with reasonable access to their Personal Information, and in doing so allowing individuals the opportunity to correct, amend or delete inaccurate information, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Syntactx, as a CRO, does not have direct relationships with research participants and as such, these individuals seeking access to their Personal Information should direct inquiries to the clinical investigator or study sponsor which transferred the Personal Information to Syntactx for processing.

Recourse, Enforcement & Liability

In compliance with the Privacy Shield Principles, Syntactx commits to resolve complaints about our collection or use of your Personal Information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Syntactx at the contact information provided below.

Syntactx has further committed to refer unresolved Privacy Shield complaints to the applicable EU data protection authority (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider located in the EU or Switzerland, as applicable. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the applicable EU data protection authority (DPA) or the Swiss Federal Data Protection and Information Commissioner (FDPIC) for more information or to file a complaint.  This independent dispute resolution mechanism is available to you free of charge.

Syntactx commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship. Under the Privacy Shield Principles, you may choose to invoke binding arbitration to resolve any residual complaints not resolved by any other means.

Syntactx’s commitments under this policy are subject to the enforcement powers of the US Federal Trade Commission (FTC).

Contact Information

Syntactx, LLC

Attn: Chief Operating Officer

4 World Trade Center
150 Greenwich Street, 44th Floor
New York, NY 10007

Tel: +1 212 228 9000

Email: info@syntactx.com

Or by using the Contact Us page.

Effective Date: 30-July-2018