At MedSource, we are fully committed to protecting and respecting your privacy.

Please read this Privacy Notice, together with any other privacy notice that we may provide to you, as it contains important information about how we collect, manage, use and protect your personal data. This Privacy Notice may also be used in conjunction with other privacy notices that we may provide you with in certain situations. This privacy notice explains what personal data we collect from you and how we use it, and is intended to give you confidence in the privacy and security of your Personal Information when accessing the available pages on the MedSource website.

We may change this Privacy Notice from time to time. Please check this policy frequently to ensure you are aware of the most recent version and the date that it was last updated.

This policy was last updated in June, 2018.

If you have any questions regarding this policy or about our privacy practices, please contact us on the below details:

  • E-mail: privacy@medsource.com
  • Post: MedSource, 1 Exchange Crescent, Exchange Square, Edinburgh, EH3 8UL, UK and marking your query for the attention of The Data Protection Officer.


The MedSource Group is made up of different legal entities, details of which can be found on our website, and which may be updated from time to time. When we say ‘MedSource’, ‘we’ or ‘us’ in this policy, we are referring to the relevant company in the MedSource Group responsible for processing your personal data.

MedSource is a "data controller" of the personal data that we hold about you. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

Personal data, or personal information, means any information about an individual from which that person can be identified. Personal information does not include information that is anonymized such that an individual cannot be identified.

We may collect, use, store and transfer different kinds of personal data about you.

We have grouped together the types of information that we may collect from you as follows:

  • Identity Data including name, gender, date of birth, marital status, family members, occupation, professional registration number (if you are a health care professional);
  • Contact Data including home address, business address, email address, phone numbers;
  • Financial Data including bank account details;
  • Transaction Data including details about payments to and from you;
  • Technical Data including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Usage Data including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call us;
  • Communications Data including your preferences in receiving communications from us;
  • Profile Data including your username and password, preferences, feedback and survey responses.

MedSource may collect data from vendors, contractors, employees and job applicants/candidates, clients, health care professionals (site staff and principal investigators) or patients (although information should be anonymized).

  • Information you give us. You may give us such information directly by registering with us, by participating in a clinical trial, completing forms, corresponding or speaking with us by phone, email, letter or otherwise, submitting a query, providing us with feedback about a product, visiting our website, requesting that we provide you with services / communications, or when we appoint you as a service provider.
  • Information we collect about you. When you visit our website and receive e-mails from us we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this by using cookies.
  • Information provided by cookies.
    •  Cookies are used to improve your experience while visiting our website. Where applicable this website uses a cookie control system allowing you on your first visit to the website to allow or disallow the use of cookies on your computer/device. This complies with legislation requirements for websites to obtain explicit consent from you before leaving behind or reading files such as cookies on your computer/device.
    • Cookies are small files saved to the user's hard drive that track, save and store information about the user's interactions and usage of the website. This allows our website, through its server, to provide users with a tailored experience.
    • If you wish to prevent the use and saving of cookies from this website on to your computer's hard drive you should take necessary steps within web browser's security settings to block all cookies from our website.
    • Our website uses tracking software to monitor its visitors to better understand how you use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to the user's hard drive in order to track and monitor engagement and usage of the Website, but will not store, save or collect personal information. You can read Google's privacy policy here for further information.
    • Other cookies may be stored on your hard drive by external vendors when our website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer.
    • If you would like further information about cookies and how they are used, you can visit http://www.allaboutcookies.org/.
    • When we e-mail you, such e-mails may contain tracking facilities. Activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include but is not restricted to: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.
  • Information we receive about you from other sources. We may receive information about you if you use any of the other websites we operate or the other services that we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.

We also work with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

We may receive information if you have provided permission to other organisations to share it with us. Before providing permission to such third party organisations to share your personal data, you should check their privacy notices carefully.

We may take information from publically available sources (where possible) to keep your information up to date, for example, from the Post Office’s National Change of Address Database or any professional registration database.

We may receive information about you if you apply for a vacancy at MedSource.

We use information held about you in the following ways:

  • To manage and administer our relationship with you
  • To conduct and support on clinical trials
  • To carry out our obligations arising from any contracts entered into between you and us
  • To respond to your requests
  • To provide you with information about our activities or tailored information about a programme that you have signed up to
  • To improve our level of service
  • To notify you about changes to our service and notify you of new services
  • To seek your views on our services
  • To consider your application for employment
  • For administrative and quality assurance purposes
  • To ensure that content from our website is presented in the most effective manner for you and for your computer
  • For the purposes of the establishment, exercise or defence of legal claims.
  • To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
  • To allow you to participate in interactive features of our service, when you choose to do so as part of our efforts to keep our site safe and secure
  • Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

We may text or e-mail you to provide you with information about our activities and services supplied by us. You can un-subscribe at any time through an automated system. This process is detailed at the footer of each email. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will be detailed instead.

We may occasionally, with your consent, call you to provide you with information about our activities or provide you with information about products and services supplied by us. You may unsubscribe to calls by instructing the person calling you or by contacting us at any time on the details set out in the ‘Contact Us’ section of this notice.

We may also communicate with your through postal marketing when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our services, products and other activities and those of other carefully selected organisations. You have the right to contact us at any time and opt-out of receiving postal communications.

There are a number of lawful reasons for us to process your personal data.

One of these is called ‘legitimate interest’ and means that we can process your personal data if (i) we have a genuine and legitimate reason; and (ii) are not harming any of your rights and interests.

Our aim is to deliver and support the delivery of high-quality clinical trials.

We will use your personal data in order to help us achieve this goal and to give you the most appropriate information and services and to provide you with the best experience when dealing with us.

Whenever we process your personal data for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection law.

Other legal bases that we will rely on include the following:

  • If you purchase a product or service from us, we may process your personal data in order to fulfil our contract with you.
  • If we are providing you with e-mail communications, we will only do so with your consent, unless you have purchased services from us, in which case we may rely on our legitimate interests to contact you further. You can ask us not to send such e-mail communications with you at any time by using the details below in the ‘Contact Us’ section.
  • Where we are required to comply with our legal obligations, or to establish and defend our legal rights, or to prevent and detect crimes such as fraud.

We will hold your personal data on our systems for as long as is necessary to fulfil the purposes that we collected it for, including for the purposes of satisfying any legal, accounting or other reporting requirements.

By law, we are required to retain certain information for a prescribed period of time. In circumstances where there are no such legal requirements, to determine the appropriate retention period, we will consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we are processing your personal data and whether we can achieve those purposes through other means.

Therefore, some information may be kept for more or less time depending on how long we reasonably feel it is required for.

We review our retention periods for personal data on a regular basis.

If you ask us to delete your information in accordance with your rights set out below, we will retain basic information on a suppression list to record your request and to avoid sending you unwanted materials in the future.

We will NOT sell your personal data to any third parties.

We may share your personal information with any member of our group where we have a legal basis for doing so.

We may share your information with selected third parties including agents, contractors or partners of MedSource in connection with services that these individuals or entities perform for, or with MedSource. These agents, contractors or partners are restricted from using this information in any way other that to provide services for MedSource, or service for the collaboration in which they and MedSource are engaged.

As MedSource is an international enterprise that consists of numerous entities worldwide, the data that we collect from you may be transferred to, and stored at, a destination outside the European Union ("EU") for the purposes described in this policy. It may also be processed by staff operating outside the EU who work for us or for one of our suppliers.

Data may be transferred to and hosted by a third-party IT service provider in the countries outside of the EU for the purposes of carrying out normal business practices.  We may also share your data with other selected unaffiliated service providers or consultants acting on our behalf, such as external marketing agencies, speciality advisory services or lawyers.

If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law, for example we may use model contracts in a form approved by regulators. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Where we need to collect personal data by law or under the terms of a contract we have with your or if you wish to participate in a programme and you fail to provide that data when requested, we may not be able to perform the contract we have with you or permit you to participate in the programme. If this is the case, we will notify you at the time.

You have a number of rights. If you would like to exercise any of these rights, please contact us using the details set out below in the ‘Contact Us’ section. If you exercise any of these rights we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge except in exceptional circumstances.

You also have the right to lodge a complaint with the local data protection regulator in your country. In the UK, this is the Information Commissioner’s Office. If you have concerns about how we use your personal information you can contact the Information Commissioner’s Office at: https://ico.org.uk/global/contact-us/.

Your rights include:

  • Transparency over how we use you data and to make a subject access request (right of access);
  • A right to have your personal data updated and corrected (right of correction/rectifcation) ;
  • A right to ask us to delete your information (right to be forgotten);
  • A right to ask us to stop processing your information (right to restriction);
  • A right to object to (i) processing based on our legitimate interests; (ii) processing of your information for direct marketing purposes; and (iii) automated decision making and profiling (right to object);
  • A right to receive a copy of your information, or have this sent to a third party (right to data portability); and
  • A right to claim compensation for material or non-material damage caused if we breach the data protection rules (right to compensation).

If you would like to find out more about your rights, you can visit the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr).

We strive to maintain accurate, complete, and relevant personal information for the purposes identified in this privacy statement. If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it. It is important that the personal information we hold about you is accurate and current.

We have implemented reasonable measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration and disclosure. Details of these measures can be obtained on request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our security measures are regularly reviewed.

If you have any questions regarding this policy or about our privacy practices, wish to exercise any of your rights or wish to make a complaint, please contact our Data Protection Officer at:

  • E-mail: privacy@medsource.com
  • Post: MedSource, 1 Exchange Crescent, Exchange Square, Edinburgh, EH3 8UL, UK and marking your query for the attention of The Data Protection Officer.

 

 EU-US Privacy Shield Policy

 

This Privacy Shield Policy applies to MedSource where we are committed to protecting Personal Information (as defined below) that is received from or about Individuals (as defined below) in the European Economic Area (“EEA”), which may be processed during the performance of our services and business operations. To demonstrate our commitment, MedSource complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and United Kingdom to the United States in reliance of Privacy Shield. MedSource has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield program and its principles, and to view our certification, please visit https://www.privacyshield.gov/. We also use the standard contractual clauses in accordance with the EU’s General Data Protection Regulation (”GDPR”) for certain transfers of personal information from the EEA to the United States.


This Privacy Shield Policy applies to all Personal Information collected and/or received by MedSource in the U.S. from Individuals in the EEA, including but not limited to Personal Information of clients, vendors, healthcare professionals, patients, medical professionals, study subjects, job applicants and business contacts and partners. This Privacy Shield Policy explains how we collect, manage, use and protect Personal Information and how it may also be used in conjunction with other privacy notices located here: https://medsource.com/about/privacy-policy/.

Adherence to the Privacy Shield Principles may be limited by the following factors:

(i)   To the extent required or allowed by applicable law, rule or regulation;

(ii)   To the extent necessary to respond to lawful requests by public authorities or need to comply with a legal obligation;

(iii) To protect the health, safety or welfare of an Individual;

(iv) If the Individual whose Personal Information is being transferred has expressly consented to the transfer / processing of his/her Personal Information to the U.S. (i.e. an employment contract); or

(v)  The relevant U.S. and EEA entities enter into a Data Sharing Agreement containing the Standard Contractual Clauses (approved by the European Union).

For purposes of this Privacy Policy Shield, the following definitions shall apply:

  • European Economic Area” (EEA) is composed of the following thirty-one (31) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
  • Individual” means any natural person located in the EEA whose Personal Information is shared with MedSource located in the United States.
  • Personnel” includes, but is not limited to, any employee (permanent or temporary), any executive within MedSource, director, officer, contractor, worker, temporary worker, or job applicant.
  • Personal Information” means any information or set of information about an identified or identifiable individual, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the individual; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to an individual that is combined with any of the above. The term “Personal Information” does not include non-identified information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person) and publicly available information that has not been combined with non-public personal information.
  • Privacy Shield Principles” collectively means the seven (7) privacy principles, as well as the supplemental privacy principles and the associated guidance, which can be found at https://www.privacyshield.gov.
  • Sensitive Personal Information” means Personal Information subject to specified extra protection under the EU Data Protection Directive of 95/46/EC, the European Union General Data Protection Regulation or any superseding legislation, such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, or that concerns medical or health conditions or sex life. In addition, MedSource will treat as Sensitive Personal Information any information received from an employee or third party where that employee or third party treats and identifies the information as sensitive.

When Personal Information is collected from Individuals, MedSource will explain the scope for why and how we collect, manage, use and protect the Personal Information; the types of third parties to which MedSource shares that information; and the choices and means MedSource offers for limiting the use and disclosure of said Personal Information. Notice will be provided in clear and conspicuous language. Such explanation will be provided promptly and before MedSource discloses or uses any Personal Information for a purpose other than what it was originally intended for. MedSource may also use the Personal Information, as described below, to comply with its legal and regulatory obligations, internal administrative purposes and in accordance with its standard operating procedures.

When acting as a Clinical Research Organization (“CRO”), MedSource will process Personal Information under the direction of our clients and vendors in accordance with the notices and instructions provided by the clients and vendors and the choices made by the Individuals to whom such Personal Information relates to. In such circumstances, MedSource’s clients and vendors are responsible for providing notice to the Individuals whose Personal Information is transferred to the U.S. and for obtaining the requisite consents from those Individuals unless MedSource has been delegated with this task.

Types of Personal Information Collected; Purposes of Collection; and Uses of Personal Information:

  • Clinical Studies – Related Information. For Individuals participating in clinical research studies being managed by MedSource or in other situations where MedSource is participating in clinical research studies, including patients, their spouses or significant others, caregivers, and relatives, principal investigators or other research study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third-party service providers, Personal Information may be used in order to carry out the applicable studies and other study-related services and/or pharmacovigilance. This may include the transfer of such Personal Information to the applicable study sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the clinical research study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
  • Data Analytics Functions. MedSource obtains and processes information about Individuals for clinical research study purposes. This data has been anonymized or de-identified and is no longer Personal Information when it is obtained by MedSource (or when it is transferred to the U.S.). In some situations, MedSource receives Personal Information from a study sponsor, a clinical research institution or other data supplier for the purpose of such anonymization or de-identification. MedSource’s activities are consistent with the notice and choice provided by these parties and MedSource’s use of this information is consistent with MedSource’s obligation to provide services to these clients and vendors. Where such information is transferred to the U.S., MedSource uses such information consistent with the Privacy Shield Principles and in the manner in which this information was obtained.
  • Health Care Professionals. MedSource collects information about health care professionals directly from the health care professionals, from public sources and from business partners. MedSource uses this information in connection with various health care activities, including clinical research studies, site payment functions and other situations where information from health care professionals is required for the purpose of servicing its clients and vendors.
  • Business Contacts. MedSource collects Personal Information, specifically contact information for its business contacts. This information may be used for purposes consistent with the provision of information by these contacts, which may include submitting Requests for Proposals (“RFPs”) for new business or marketing activities focused on creating new revenue streams.
  • Client and Vendor Information. For Individuals sharing Personal Information with MedSource in order to inquire about, seek information or otherwise make use of our services, including opportunities to participate in clinical research studies, MedSource will use such Personal Information in order to provide the requested information and/or services to such clients and vendors.
  • Human Resources-Related Information. For MedSource Personnel, we will process Personal Information to carry out and support our human resources functions and activities, including but not limited to, (i) evaluation of qualifications for an employment position including background checks of job applicants with the consent of the candidate where required by law; (ii) provision of employment benefits; (iii) administration and management of employees, compensation, stock options, bonuses, retirement, training, and career planning; (iv) utilizing employee skills and ongoing employee resource allocation; (v) communicating with employees or their emergency contacts; (vi) administration of the company's business; (vii) authentication of the individual's identity when gaining access to the computer system applications and network; (viii) Personal Information changes; (ix) employment status changes; (x) travel and expense planning and reimbursement; and (xi) evaluation of employee performance and time management; and (xi) management of personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. MedSource may share Personal Information with selected third parties including agents, contractors or partners of MedSource in connection with services that these individuals or entities perform for, or with MedSource. These agents, contractors or partners are restricted from using this Personal Information in any way other than to provide services for MedSource, or service for the collaboration in which the agent and MedSource are engaged. Additional information concerning how MedSource collects, uses, shares and safeguards the Personal Information is available to MedSource Personnel in MedSource’s internal privacy policy.

Individuals have the opportunity to choose (opt-out) whether their Personal Information is (i) to be disclosed to a third party, or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Individual. However, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent of MedSource to perform task(s) on behalf of and under the instructions of MedSource based upon the terms and conditions of the contract entered into between MedSource and the third party.

Regarding the collection and use of Sensitive Personal Information, MedSource shall obtain affirmative express consent (opt in) from Individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the Individuals through the exercise of opt-in choice.  MedSource shall treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive.

In some cases, even if an Individual opts-out of disclosures of their Personal Information, MedSource may still disclose such Personal Information (i) if required to do so by law or a court order; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process during litigation; (iv) to enforce MedSource policies or contracts; (v) to collect monies owed to MedSource; (vi) when disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in the good faith belief that disclosure is otherwise necessary or advisable.

Transfers to third parties are covered by the provisions in this Privacy Shield Policy regarding the Notice and Choice principles.

In the event such Personal Information is transferred to a third party, MedSource and the applicable third party shall enter into a contract that provides that such Personal Information may only be processed for limited and specified purposes consistent with the consent provided by the Individual and that the third party recipient will provide the same level of protection as the Privacy Shield Principles and will notify MedSource if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party shall cease the processing of the Personal Information and/or take other reasonable and appropriate steps to remediate. Where MedSource has knowledge that the third party is using or disclosing Personal Information in a manner contrary to the Privacy Shield Principles and/or this Privacy Shield Policy, MedSource will take reasonable steps to prevent or stop the use or disclosure of the Personal Information. With respect to onward transfers to third parties, Privacy Shield requires that, to the extent it is responsible for the event, MedSource shall remain liable should its third party processes the Personal Information in a manner inconsistent with the Privacy Shield Principles, and MedSource accepts and shall follow this principle.

Where MedSource obtains Personal Information as a CRO providing services for its clients or vendors, MedSource’s clients or vendors shall be responsible for protecting the Individual rights with respect to onward transfers.

MedSource shall endeavor to take reasonable and appropriate technical, administrative and physical precautions designed to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information MedSource is processing, and regardless of whether such Personal Information is in electronic or tangible form. Third parties will only process an Individual’s Personal Information on our instructions and where the third party has agreed to treat the information confidentially and to keep it secure. MedSource also has procedures in place to deal with any suspected data security breach. MedSource will notify you and any applicable regulator of a suspected data security breach where MedSource is legally required to do so. Details of these measures can be obtained on request.

Consistent with the Privacy Shield Principles, MedSource shall limit the use of Personal Information to ensure it is compatible with the purposes for which it has been collected or subsequently authorized by the Individual. MedSource will take the necessary steps designed to ensure that only Personal Information that is relevant to its intended use is accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was collected and is used by MedSource for as long as MedSource retains possession of such information. MedSource will continue to maintain the accurate, complete and current Personal Information for as long as it is needed to serve the purpose for which it was collected. As a CRO, MedSource will only process Personal Information that is relevant to the services it provides, and only for purposes compatible with those for which the Personal Information was collected. Where MedSource processes Personal Information as a CRO or otherwise acts under the direction of its clients, MedSource will work with such clients so that the clients can provide a way for Individuals to correct or update their Personal Information.

Upon request, MedSource will provide an Individual with confirmation regarding whether MedSource is processing their Personal Information. An Individual’s rights include: (i) transparency over how we use your data and to make a subject access request (right of access); (ii) a right to have your personal data updated and corrected (right of correction/rectification); (iii) a right to ask us to delete your information (right to be forgotten); (iv) a right to ask us to stop processing your information (right to restriction); (v) a right to object to (a) processing based on our legitimate interests; (b) processing of your information for direct marketing purposes; and (c) automated decision making and profiling (right to object); (vi) a right to receive a copy of your information, or have this sent to a third party (right to data portability); and (vii) a right to claim compensation for material or non-material damage caused if we breach the data protection rules (right to compensation). MedSource will take reasonable steps to correct, amend, or delete an Individual’s Personal Information that is found to be inaccurate, incomplete or processed in a manner non-compliant with this policy or the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to that Individual’s privacy, where the rights of persons other than the Individual would be violated or where doing so is otherwise consistent with Privacy Shield Principles. When acting as a CRO, MedSource has no direct relationship with study subjects participating in a clinical research study and any such Individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or principal investigator which has transferred such Personal Information to MedSource for processing

Individuals have a number of rights and are encouraged to contact MedSource using the details set out below in the ‘Contact Us’ section if Individuals have questions about how their personal Information is processed. Individuals will be asked for proof of identity and sufficient information about their interactions with MedSource in order to locate their Personal Information and before such information is released.

In accordance with the Privacy Shield Principles, MedSource is committed to resolving complaints about an Individual’s collection or use of their Personal Information. Any Individual with an inquiry or complaint regarding this Privacy Shield Policy should first contact MedSource using the details set out below in the ‘Contact Us’ section. MedSource will investigate and make every attempt to resolve such complaints and/or disputes expeditiously at no cost to the Individual and by reference to the Privacy Shield Principles. In addition, MedSource will cooperate with the panel established by the EU data protection authorities (“DPAs”) and comply with the advice given by the panel with respect to unresolved Privacy Shield complaints related to Individuals’ human resources data transferred from the EEA to the U.S. in the context of the employment relationship.

If an Individual does not receive timely acknowledgement of their complaint from MedSource or if MedSource has not addressed the compliant to the Individual’s satisfaction, the Individual has the right to contact the EU DPAs for more information or to file a complaint. Individuals also have the right to lodge a complaint with the local data protection regulator in their country. The services of EU DPAs are provided at no cost to Individuals. If any request remains unresolved, Individuals may, under certain circumstances, have a right to invoke binding arbitration under Privacy Shield located here: https://www.privacyshield.gov. The Federal Trade Commission has jurisdiction over MedSource’s compliance with the Privacy Shield Principles.

With respect to MedSource Personnel and other human resources related information, MedSource will cooperate with JAMS with respect to the handing of an Individual’s complaint(s). For more information about JAMS and/or to submit a complaint, visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim. Independent dispute resolution mechanisms are available to Individuals free of charge. If any request remains unresolved, Individuals may have a right to invoke binding arbitration under Privacy Shield.

With respect to MedSource acting as a CRO, Individuals may submit complaints concerning the processing of their Personal Information to the respective client, in accordance with the client’s dispute resolution process. Upon the request of the client, MedSource will work with the client and take the necessary steps to remedy any issues that may arise out of any potential failure to comply with the Privacy Shield Principles.

Additionally, any MedSource Personnel whose in violation of the Privacy Shield Principles and/or this Privacy Shield Policy will be subject to disciplinary action up to and including termination of employment, where applicable, in accordance with MedSource’s disciplinary procedures.

If you have any questions regarding this Privacy Shield Policy or about our privacy practices, wish to exercise any of your rights or wish to file a complaint, please contact our Data Protection Officer at:

  • E-mail: privacy@medsource.com
  • Post: MedSource, 1 Exchange Crescent, Exchange Square, Edinburgh, EH3 8UL, UK and marking your query for the attention of The Data Protection Officer

 

UPDATES TO THE PRIVACY SHIELD POLICY: MedSource may make changes to this policy from time to time, without advance notice, to ensure the proper level of protection is effective to safeguard Personal Information and to ensure it is properly maintained in accordance with applicable data protection laws. We recommend that you check for updates to this notice periodically.

PRIVACY POLICY – EFFECTIVE DATE: 25th June, 2020

 

California Consumer Act Privacy Policy (CCAP)

Effective January 1, 2020

This California Consumer Act Privacy Notice (“CCPA Notice”) applies to all Personal Information collected and/or received by MedSource from consumers residing in California. This CCPA Notice explains how we collect, manage, use and protect Personal Information and how it may also be used in conjunction with other privacy notices located here: https://medsource.com/about/privacy-policy/.

For purposes of this CCPA Notice, the following definitions shall apply:

California Consumer Privacy Act of 2018 (“CCPA”) is a data privacy law passed by the state of California on June 28, 2018 and went into effect on January 1, 2020. It outlines new standards for data collection, new consequences for businesses that fail to protect user data, and new rights that California consumers can exercise over their data.

Consumer” under the CCPA, a consumer is defined as a California resident.

Business” is a for-profit entity that collects “consumer” data and meets at least one of the following thresholds: (i) annual gross revenue over $25 million; (ii) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or (iii) derives 50% or more of its annual revenue from selling consumer personal information.

Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

 

The CCPA lists the following categories of Personal Information:

  • Identifiers and Personal Records (i.e. real name; alias; signature; postal address; email address; telephone number; unique personal identifier; online identifier; Internet Protocol address; device identifiers; email address; account name; Social Security number; driver's license or other state identification number; passport number; insurance policy number; insurance claim number; financial information, including bank account, credit card numbers, bank routing details; employment, including current and historical; association membership; other device identifiers including the operating system, browser type, network information; or other similar identifiers.)
  • Protected legal characteristics (i.e. age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, or veteran or military status.)
  • Commercial information (i.e. records of personal property; products or services purchased, obtained, or considered, including data related to insurance policies; or other purchasing or consuming histories or tendencies.)
  • Biometric information (i.e. Items related appearance including, but not limited to, height, weight, eye color, hair color; NOT including any genetic data or data that could alone be considered Personal Information when not combined with other information (i.e. fingerprint or genetic data)).
  • Internet activity
  • Geolocation data (i.e. Physical location of users, generally and specifically).
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Employment information
  • Education information
  • Inferences about personal preferences and attributes drawn from profiling (e.g. via cookies)

  • Information you give us. You may give us such information directly by registering with us, by participating in a clinical trial, completing forms, corresponding or speaking with us by phone, email, letter or otherwise, submitting a query, providing us with feedback about a product, visiting our website, requesting that we provide you with services / communications, or when we appoint you as a service provider.
  • Information we collect about you. When you visit our website and receive e-mails from us we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this by using cookies.
  • Information provided by cookies.
    • Cookies are used to improve your experience while visiting our website. Where applicable this website uses a cookie control system allowing you on your first visit to the website to allow or disallow the use of cookies on your computer/device. This complies with legislation requirements for websites to obtain explicit consent from you before leaving behind or reading files such as cookies on your computer/device.
    • Cookies are small files saved to the user's hard drive that track, save and store information about the user's interactions and usage of the website. This allows our website, through its server, to provide users with a tailored experience.
    • If you wish to prevent the use and saving of cookies from this website on to your computer's hard drive you should take necessary steps within web browser's security settings to block all cookies from our website.
    • Our website uses tracking software to monitor its visitors to better understand how you use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to the user's hard drive in order to track and monitor engagement and usage of the Website, but will not store, save or collect personal information. You can read Google's privacy policy here for further information.
    • Other cookies may be stored on your hard drive by external vendors when our website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer.
    • If you would like further information about cookies and how they are used, you can visit http://www.allaboutcookies.org/.
    • When we e-mail you, such e-mails may contain tracking facilities. Activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include but is not restricted to: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.
  • Information we receive about you from other sources. We may receive information about you if you use any of the other websites we operate or the other services that we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.

We also work with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

We may receive information if you have provided permission to other organizations to share it with us. Before providing permission to such third party organizations to share your personal data, you should check their privacy notices carefully.

We may take information from publically available sources (where possible) to keep your information up to date, for example, from the Post Office’s National Change of Address Database or any professional registration database.

We may receive information about you if you apply for a vacancy at MedSource.

We may use or disclose the personal information we collect for one or more of the following business purposes:

  • To manage and administer our relationship with you
  • To conduct and support on clinical trials
  • To carry out our obligations arising from any contracts entered into between you and us
  • To respond to your requests
  • To provide you with information about our activities or tailored information about a programme that you have signed up to
  • To improve our level of service
  • To notify you about changes to our service and notify you of new services
  • To seek your views on our services
  • To consider your application for employment
  • For administrative and quality assurance purposes
  • To ensure that content from our website is presented in the most effective manner for you and for your computer
  • For the purposes of the establishment, exercise or defense of legal claims.
  • To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
  • To allow you to participate in interactive features of our service, when you choose to do so as part of our efforts to keep our site safe and secure
  • Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).
  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply any agreements, including for billing and collection purposes.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of MedSource, its customers, or others. This includes exchanging Personal Information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

We do NOT “sell” Personal Information that we collect from you, in accordance with the definition of “sell” in the CCPA, and will treat Personal Information we collect from you as subject to a do not sell request.

The CCPA provides consumers with specific rights regarding their Personal Information. If you would like to exercise any of these rights, please contact us using the details set out below in the ‘Contact Us’ section. If you exercise any of these rights we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge except in exceptional circumstances.

(1)        Access to Personal Information

You may access, update, correct or extract any and all Personal Information directly from MedSource by contacting us using the details set out below in the ‘Contact Us’ section.

For both Personal Information relating to users and the third parties about which you inputted Personal Information, you have the right to request that MedSource disclose certain Personal Information to you about our collection and use of the Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable individual request we will disclose to you:

  • What Personal Information has been collected;
  • The sources from which that Personal Information was collected;
  • The business purposes for collection;
  • Whether that Personal Information is sold, and for what business purpose; and
  • The third-party recipients of the Personal Information.

(2)        Deletion Request Rights

We will hold your personal data on our systems for as long as is necessary to fulfil the purposes that we collected it for, including for the purposes of satisfying any legal, accounting or other reporting requirements.

By law, we are required to retain certain information for a prescribed period of time. In circumstances where there are no such legal requirements, to determine the appropriate retention period, we will consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we are processing your personal data and whether we can achieve those purposes through other means.

Therefore, some information may be kept for more or less time depending on how long we reasonably feel it is required for.

We review our retention periods for personal data on a regular basis.

If you ask us to delete your information in accordance with your rights set out below, we will retain basic information on a suppression list to record your request and to avoid sending you unwanted materials in the future.

(3)        Exercising Your Rights

To exercise the access and deletion rights described above, please submit a verifiable request to us using the details set out below in the ‘Contact Us’ section. Only you may make a verifiable request related to Personal Information that we collected from you.

You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:

  • Provide sufficient information that allows us to reasonably verify you are either (i) the person about whom we collected Personal Information or (ii) an authorized representative which inputted the Personal Information.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you or an individual about which you inputted Personal Information.

We will respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the date of the request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

(4)        Non-Discrimination

We will not discriminate against you for exercising any of your Personal Information rights. Unless permitted by applicable regulations, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Data Security                                                                                                                                  

We have implemented reasonable measures designed to secure your Personal Information from accidental loss and from unauthorized access, use, alteration and disclosure. Details of these measures can be obtained on request.

Third parties will only process your Personal Information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our security measures are regularly reviewed.

If you have any questions regarding this Privacy Shield Policy or about our privacy practices, wish to exercise any of your rights or wish to file a complaint, please contact our Data Protection Officer at:

  • E-mail: privacy@medsource.com
  • Post: MedSource, 1 Exchange Crescent, Exchange Square, Edinburgh, EH3 8UL, UK and marking your query for the attention of The Data Protection Officer.