PRIVACY POLICY AND GDPR COMPLIANCE

Pharmassist Ltd Group (herein after Pharmassist, or we/us, or Group) is a full-service Contract Research Organisation (CRO) located in Athens, Greece [Pharmassist  Ltd] and London, UK [Pharmassist UK (CRO) Ltd]. Pharmassist operates in Europe since 1999, providing services in Clinical Trials, Pharmacovigilance, Regulatory Affairs, Medical Affairs, and Quality Management. Pharmassist has been certified according to ISO 9001 standards, since 2011 and is currently in the process of being certified according to ISO 27001.

This Privacy Policy outlines Pharmassist’s general policy and practices for complying - among others - with the applicable EU General Data Protection Regulation 2016/679 (GDPR), including the types of personal data we process, the reasons and the legal basis for that processing, the technical and security measures that we apply and the rights that individuals have under GDPR. This Privacy Policy applies to all personal information (as these are defined under the GDPR) of natural persons received by our Group, whether in electronic, paper or verbal format.

Notice

Pharmassist shall inform individuals of the purpose for which it collects and uses their personal data and the types of third parties to which it may disclose that information. Pharmassist shall provide individuals with the choice and means for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to Pharmassist, or as soon as practicable thereafter, and in any event before Pharmassist uses or discloses the information for a purpose other than for which it was originally collected.

Where Pharmassist receives personal information from its subsidiary or from other entities in the EU or European Economic Area, including when acting as a CRO processing personal information under the direction of a customer, it shall use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

Pharmassist may not need to furnish notice where the processing in question is necessary to respond to a government inquiry; is required / authorized by applicable laws, court orders or government regulations; or is necessary to protect Pharmassist legal interests.

1. Types of personal data that Pharmassist processes, purposes and legal basis of processing

1.1. Pharmassist endeavors to use personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. We are taking reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by Pharmassist for as long as Pharmassist retains possession of such information.

1.2. Unless required or authorized by law, Pharmassist will not process sensitive personal information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual, unless the individual affirmatively and explicitly consents to the processing (“opt-in”).

1.3. More specifically, we may process data in the course of our following services:

a) Clinical and Medical Information

As a global CRO, we collect, host and analyze health data relating to clinical trial subjects, on behalf and according to the directions of our clients/sponsors. To enhance privacy and consistent with Good Clinical Practice, subjects’ names and other direct identifiers are not attached to any records collected and archived by Pharmassist ( e.g. at the CRF documents). Instead, subjects are only identified by a code. Only study doctors and authorized Pharmassist personnel (monitors) may access the complete, named, subject records at the investigational sites. All clinical and medical information processed by Pharmassist is done so under contract with our clients/sponsors. In terms established by the GDPR, Pharmassist considers that the client/sponsor is the “controller”, that is ultimately in control of how and why clinical and medical data are processed, whilst Pharmassist is the “processor”, that acts on the sponsor’s directions. The processing occurs based on the explicit consent of the study subjects, obtained by the designated study doctors or investigational sites and acting upon written contracts between us, the sponsor, the doctor and the investigational sites.

b) Health professionals’ information

Pharmassist collects the professional profiles (CVs) of doctors and other health care providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications. Pharmassist may use available contact information, including email addresses, for the purpose of inviting potential investigators to apply to participate in research. We may source health professional information from our own databases and also indirectly from public sources and referrals. Moreover, Pharmassist may collect health professional’s contact information (such as e-mail address) and basic personal identifications (such as name, medical specialty) and/or some patient’s information that they may choose to disclose to us (name, telephone number, address), within the context of receiving Medical Information regarding a product. For operational purposes, Pharmassist may also collect information relating to the involvement and performance of investigators and supporting study staff. Pharmassist may also process financial information of investigators to support payment for their services. We shall retain the health professionals’ information based on the execution of existing contact or based on the serving of our group’s legitimate interests (for the continuity of our business records and cooperation with them). We shall not use these data for any further or different purpose than the ones stated above and we shall process them only according to the relevant legal framework, applying necessary technical safety measures.

c) Employee and Human Resource data

1. Pharmassist collects personal information from applicants to open positions within Pharmassist, including private contact details, professional qualifications and previous employment history, necessary to reach to employment decisions. Pharmassist may conduct various background checks on applicants, including, where law allows, on criminal history and professional disbarment. Once employed, Pharmassist collects information on staff for human resource, performance, payroll and tax purposes. Various Pharmassist internal systems will collect and record employee information consistent with standard business operations. Pharmassist may process similar information relating to consultants contracted on a freelance basis.

2. Pharmassist may also collect and transfer the CVs of its employees or partners to competent authorities and/or its contractual partners, in cases this is mandated by standard legal procedures and/or according to an existing contract between Pharmassist and the said partner (usually the Sponsor of a project), or during the pre-contractual stage thereof (e.g. CV of Qualified Person Responsible For Pharmacovigilance-EU QPPV).

3. Pharmassist may keep Employee Training Records, containing their personal information, experience, position and training details, in the context of the execution of their contract with Pharmassist, which Record employees  should ensure that it is being regularly updated..

4. Also, due to our awareness of the sensitive nature of certain processes within our company, and in order to prohibit unauthorized access, we have implemented an Access Control System, by installing card-access at all the entrance doors of each floor of our premises in Athens. Every employee and visitors needs to use these cards, with the guidance of the controlling security company. We note that no biometric data (e.g. fingerprints, eye pupils) of the individuals/ users of the said cards are being processed thereof.

5. Lastly, for security reasons in commonly used spaces and in storage rooms, at our premises in Athens, we have installed security cameras systems (CCTV). We ensure that any recording within the offices of our company is not directed to any of our employee’s office/working space. All our employees are officially informed of this security measure and of the processing of some of their personal data that may arise thereof, which does not aim to the recording of their performance.

d) Web visitors

1. Pharmassist collects named information about visitors to Pharmassist website, www.pharmassist-cro.com, where this is voluntarily provided to meet a request from those individuals, by filing our on-line contact form. For example, we may collect information where a client addresses to us a request on a Pharmassist’s service, a health care professional is interested in participating in a clinical trial,  someone wants to apply for a vacant position with Pharmassist, or when someone wants to participate in training events that Pharmassist may organize. Through the use of cookie-based technologies, Pharmassist may collect various data linked to virtual identities allocated to visitors when they access our websites. This data is used for various purposes, including site analytics and first party marketing. In certain cases, these virtual identities are linked to the real world identities of visitors only when they choose to provide their named information as described.

2. More specifically, our website, www.pharmassist-cro.com, uses cookies to improve and optimize your experience as a user. Cookies are small text files that are placed on your computer, smartphone or other device when you access the internet. We use uses cookies to: a) Ensure that web pages can function properly, b) Know your experience navigation and c) Collect anonymous statistical information, such as which sections you have visited, and how long you have been in our environment. You may modify and / or block the installation of cookies sent by the website of Pharmassist Group, however, the quality of the operation of the services may be affected.

3. Moreover, Google Analytics uses "Cookies", which are text files located on your computer, to help the website to analyze users' use of the website. Information generated by Cookies about your use of the website (including your IP address) will be directly transmitted and stored by Google on servers in the United States. Google will use this information on our behalf for the purpose of keeping track of your use of the website, compiling reports of website activity and providing other services related to website activity and Internet use. Google may transfer such information to third parties when required by law, or when such third parties process the information on behalf of Google. Google will not associate your IP address with any other data available to Google. You may refuse to treat data or information by refusing to use Cookies by selecting the appropriate settings from your browser.

e) Pharmacovigilance

1. Pharmacovigilance (PV) is an activity contributing to the protection of patients’ and public health. Each Marketing Authorisation Holder (MAH) has to establish an appropriate pharmacovigilance system for the collection, evaluation and notification of safety information relevant to the risk-benefit balance of medicinal products of its responsibility. Pharmassist, as a CRO, may undertake the conduct of PV services during Clinical Trials phases, as well as in Post-Marketing periods of a medicinal product according to the assignment of some or all of the functions of the Pharmacovigilance System by the MAH and on behalf of that MAH.

2. According to the applicable EU legislation the MAHs should collect as much information as possible on the suspected drug-related adverse events. Thus, the PV data that Pharmassist may collect and process on the MAHs behalf may include information that identifies the patient and the reporter, such as age, weight, height, ethnic origin and health status/medical history. The personal identification and contact details may also be collected if there is a follow-up to the adverse events required.

f) Regulatory Affairs

Pharmassist’s Regulatory Affairs Department offers its multinational expertise in compliance with the diverse Regulatory Agencies and Health Authorities. The services concerning the conduct of Clinical Trials performed by our Group include, but are not limited to National Organization for Medicines (EOF) and National Ethics Commitee submissions, Regulatory Authority submissions, Investigational Product import permit applications, Submission of Amendments, Notifications to National and Bioethics Ethics Committees, Hospital Scientific Councils and Regulatory Authorities, Safety Reporting and Submissions of Progress reports and Final reports to competent Regulatory Authorities. In this context we may collect- among others- contact details of our partners legal representatives (such as name/surname, e-mail address), solemn declarations containing some personal information of our contractual partners’ legal representatives that we are obliged to acquire according to the law for certain procedures, CVs of clinical experts.

h) Quality Unit

In addition to a comprehensive internal  quality assurance program, we provide –among others-QA services to our clients, as a part of either a full-service or a stand-alone project. These include but not limited to: System audits, in which we assess SOPs, staff training program(s) and procedures, Study site audits, pre-inspection checks to help the sites to prepare for regulatory inspections, Clinical study document evaluation, Vendor audits, in which auditors evaluate vendors to ensure they have sufficient capacity and capability to deliver quality products and services on time and in compliance with regulations, Quality oversight visits to obtain independent review of sites and staff performance, as well as recommendations for improvement. (CVs, training records, contact details of audit)

2. Transfer of Data

2.1. We do not and will not sell, rent out or trade your personal information. We will only disclose (transfer, share, send, or otherwise make available or accessible) your personal information to third parties in the ways set out in this Policy.

2.2. Pharmassist may disclose individuals’ personal information to a third party or use it for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual, only if the individual consents to such further processing.

2.3. Pharmassist may share individuals’ personal information with its agents, contractors, clients or partners in connection to services that they perform for, or with, Pharmassist. We shall ensure that any third party to which personal information may be disclosed subscribes to the principles set hereby and is subject to applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection. For example, Pharmassist employees’ information may be transferred to travel agencies in order to facilitate the arrangement of business travels and bookings and to arrange travel related services and/or products.

2.4. As mentioned above, our Group comprises a Greek and a UK company. The United Kingdom submitted on 29 March 2017 the notification of its intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union. This means that unless otherwise established, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) ('the withdrawal date'). Until this event, any transfer of data to our subsidiary, occurs within the EU. Afterwards, the United Kingdom will become a 'third country'. Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries shall apply. Aside from an "adequacy decision", which allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions, Pharmassist shall only transfer data to Pharmassist (CRO) UK, or/and any other company based in a third country according to the GDPR rules, if the said controller or processor has provided “appropriate safeguards”, such as Binding Corporate Rules, Codes of Conduct, certification mechanisms, or according to standard data protection clauses.

2.5. In some cases, Pharmassist may disclose personal information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent vital individual’s interests (e.g. from physical harm) or in connection with an investigation of suspected or actual illegal activity.

2.6. Pharmassist may also transfer personal information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, Pharmassist will direct the transferee to use personal information in a manner that is consistent with this Policy.

3. Security measures

3.1. Pharmassist operates in compliance with strict and detailed policies and procedures and employs reasonable physical, electronic, managerial and technical procedures to safeguard and secure any personal information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Applied information security management helps us not only to grow, innovate and expand our services, as well as identify the risks related to these information, and to put in place appropriate controls to mitigate and manage the risk thereof. We will destroy or de-identify personal information once we no longer require it for our business purposes, or as required by law.

3.2. To get quality as an outcome, all our procedures are planned, executed, evaluated, reviewed and upgraded according to the highest standards. We implement Privacy and Quality by Design and by Default, as a holistic systems-based approach to the design, development and delivery of services to our clients. We operate under Standard Operating Procedures and we have been certified according to ISO 9001 standards, since 2011. Moreover, we are currently in the process of being certified according to ISO 27001.

3.3. More specifically, Pharmassist operates a local network domain at its Athens premises, controlled by two Windows Domain Controllers. External network perimeter is established and secured by a contemporary firewall with application control capabilities. Local switching is done on five managed Ethernet switches. Wireless access is provided by seven access points with wireless protection authorization and encryption, providing two separate keys for user and guest access. Operational service provisioning is provided by a total of four servers in different roles. A high-capacity system provides uninterruptible power to both the computer room and Desktop computers throughout the building. All equipment has current support contracts provided either by the respective manufacturer, the vendor or an IT support company. The Servers, the Router and Firewall, the Switches and the Backup system are in a secure Computer Room with A/C and Temperature/Humidity/Dewpoint meter.

3.4. The below general measures have been implemented to our daily operations:

  1. Risk assessment
  2. Security policy
  3. Organization of information security
  4. Asset management
  5. Human resources security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control
  9. Information systems acquisition, development and maintenance
  10. Information security incident management
  11. Business continuity management
  12. Compliance control

3.5. Moreover, we train all personnel meticulously and we expect them to follow the principle of strict compliance with all ethical and legal requirements. Violations of the law are not tolerated in our company.

3.6. Paper format files storage and protection: Pharmassist needs to store and process some necessary files (such as contracts, consent forms, invoices etc) containing personal information in hard-copy versions. All such paper-formatted files are filed based on each of our company’s department and are stored in specially designed storage rooms within the premises of our Athens based company. These rooms are locked and access cards are only granted to personnel at a need-to-know basis. Also, safety measures in the event of fire are implemented, including fire-fighting equipment.

Our offices are supplied with shredders, in order to eliminate the possibility of unauthorized access to files containing personal data. Our server room, as described, is also protected and has restricted access, special air-conditioning system and power-supply recovery system.

3.7. Electronic Filing and Storage: Some of your personal information will be stored in the database of our company’s website and/or of our company’s server There is one VDSL data line to access the internet via a router and a Juniper firewall device which separates the local network from the Internet and prevents unauthorized access. Some of the personal data that we lawfully process may be stored at a European cloud service provider.

We apply scaled access to files saved at our network containing personal data, and especially personal data of special categories. More specifically, data is stored in separate databases for every department of our company, whereby access is granted only after requiring a code. According to that, Virtual Privacy Network (VPN) secure connections are being established through the Juniper firewall using company's and personal VPN passwords to our employees and/or partners, with specific rights for each user and only on a need-to-know basis. Windows Domain user name and password are required, following the internal access policy.

Centrally-controlled cloud Anti-malware software is running on all PCs and Servers which is updated in a constant (multiple times per day) basis.

3.8. Recovery and Back-up Procedures: Each server has a mirror disk-set for redundancy and availability (RAID-1). The Domain Controllers offer clustered DNS and DHCP services for the internal network, so in case of a server failure the network will continue to operate. All equipment is connected to UPS power in case the A/C mains power fails. Backup is running every night and saved to external disks. A notification mail is being sent in case of backup failure to a certain person to alarm that the backup has been unsuccessful. Two backup disk sets exist and always a backup-set is being held to a safe place.

3.9. General Controls: Also, controls are implemented on workstations (automatic locking, regular updates, configuration, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.) to adversely affect personal data.

3.10. File transfer: All web traffic (file transfer) between this site and your browser is encrypted and transferred via the 128-bit SSL protocol. Essentially, encryption is a way of encoding the information until it reaches its intended recipient, which will be able to decode it using the appropriate key.

3.11. Email: The data sent to us via email is protected through the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by a TLS security protocol (aka SSL), meaning that email is encrypted using 256-bit SHA-2 encryption before being sent over the Internet. The content of the email is decrypted by our local computers and devices.

3.12. Incident response plan: We have a privacy incident response program designed to promptly respond to and escalate all privacy-related questions, complaints, concerns, including any potential privacy or security breach incident. A Network Monitoring application monitors critical equipment and services and alerts are issue in case of specific events.

4. Data Integrity

Pharmassist shall only process personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes Pharmassist shall take reasonable steps to ensure that personal information is accurate, complete, current and reliable for its intended use.

5. Individuals' rights

5.1. Upon request, and as required by law, Pharmassist will provide to the individuals access to their personal information and allow them to correct, amend or delete inaccurate information, except where the rights of other persons would be violated, legal provisions prohibit it and in any case in accordance to the relevant provisions of GDPR. Individuals, moreover, have the right to address to the Greek Data Protection Authority, if they believe that any of their rights thereof are being violated.

5.2. Pharmassist reserves the right to charge in some cases a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals. Pharmassist, when acting as a CRO at the conduct of clinical trials, has no direct relationship with medical research subjects participating in them and any such Individuals who seek access, or who seek to correct, amend, or delete their Personal Information should direct his or her query to the relevant study sponsor or investigator, which has only transferred such Personal Information to Pharmassist for processing according to their agreement.

6. Data retention

6.1. We will not retain data longer than necessary to fulfil the purposes for which it was collected, according to our contractual arrangements, or as required by applicable laws and regulations.

6.2. The information you provide to us may be archived or stored periodically by us, according to backup processes and will only be retained for as long as is it required for the purposes for which it was collected, unless the law requires us to hold your personal information for a longer period, or delete it sooner, or unless you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.

6.3. Namely, regarding pharmacovigilance, according to the provisions of “Commission Implementing Regulation (EU) No 520/2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council” and articles 12 and 16 thereof: “Marketing authorization holders shall arrange for the elements referred to in Article 2 (the pharmacovigilance system master file) to be kept for at least five years after the system as described in the pharmacovigilance system master file has been formally terminated by the marketing authorization holder. Pharmacovigilance data and documents relating to individual authorized medicinal products shall be retained as long as the product is authorized and for at least 10 years after the marketing authorization has ceased to exist. However, the documents shall be retained for a longer period where Union law or national law so requires.”.

6.4. Moreover, regarding clinical trials, the ministerial act that adopted the Regulation (EU) no 536/2014 of the European Parliament and of the Council on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC in Greece (no. Γ5α/59676/ 2016), provides that: (…) the sponsor and the investigator shall archive the content of the Τrial Μaster File (TMF) for at least 25 years after the end of the clinical trial. (…) The medical files of subjects shall be archived for at least 25 years since the last visit of the last subject that participated in the clinical trial, regardless if the trial has been conducted in a public or private hospital”. However, Pharmassist may only retain the TMFs as long as its contractual obligation towards its contractual party for every specific project is in effect.

6.5. According to Direction no 1/2011 of the National Data Protection Authority, data logs of the security cameras system shall be stored for a specified time, according to the purpose for which they are processed. Unless otherwise provided by law, or unless it is necessary for the investigation of a security breach incident, such files should be destroyed every 15 working days.

7. Our commitment to children's privacy

7.1. Protecting the privacy of children is especially important for us. For that reason, we do not intend to collect or maintain information at our Website from those we know are under 16 years of age, and no part of our Website is structured to attract anyone under 16.

7.2. Also, in cases we need to collect and process personal data of children under 18 years old, we only do that after obtaining explicit consent from their parents or legal guardians (e.g. for their participation at a clinical trial).

8. Compliance

Pharmassist uses an assessment approach, by an expert legal and IT team, to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal information in accordance with this policy and GDPR.

9. Amendments

This privacy policy may be amended from time to time consistent with the requirements of the GDPR. We will post any revised policy on this website.

10. Contact Information

Questions, comments or complaints regarding Pharmassist’s Privacy Policy or data collection and processing practices can be sent by email to: dataprivacy [at] pharmassist-cro.com.