Effective date: 27 June 2019
Who ‘we’ are?
ERGOMED PLC, having its registered office in Guildford, England, together with its affiliated companies (jointly hereinafter: ‘ERGOMED’ and/or ‘we’) provides services in clinical research, pharmacovigilance, medical writing and recruitment.
At ERGOMED, we are strongly committed to protecting your privacy. To protect your privacy, we provide this notice explaining our general and online information practices and the choices you can make about the way your information is collected and used.
- ERGOMED’s business clients, partners / potential clients and vendors / contacts;
- ERGOMED’s job applicants;
- visitors / users of ERGOMED’s websites, such as but not limited to:
- Why does ERGOMED collect personal data?;
- What personal data does ERGOMED collect?;
- Recruiting Software – SmartRecruiters
- How personal data will be collected;
- The use of the cookies, Google analytics and plugins;
- Security measures;
- Disclosure and transfer of personal data;
- For how long does ERGOMED store personal data?;
- What are your rights and obligations regarding your personal data?;
- What if you do not want to provide us with your personal data?;
- Contact, questions and further information.
Why does ERGOMED collect personal data?
ERGOMED collects and processes the personal data for the following purposes:
- to provide services to our clients – CRO/CT services, pharmacovigilance services, GxP audit services, medical writing services, recruitment and training services;
- to stay in touch with potential clients and partners for marketing and business development purposes;
- to assess / consider candidates with regard to a current and/or future job application (please note some special clarifications provided in case of your use of the Recruitment Software supplied by – SmartRecruiters);
- to ensure ERGOMED’s IT systems are secure and robust against unauthorised access; and
- for other legitimate interests.
There may be more than one business reason for processing your personal data. Furthermore, the reason(s) for processing your personal data will depend on in which of our services you are interested.
The legal basis in the GDPR for processing your personal data is:
- the processing is necessary for the performance of the contract we have with you or in order to take steps at your request prior to entering into a contract; and/or
- that you have given your consent in relation to one or more purposes as above; and/or
- the processing is mandatory to fulfil legal obligation; and/or
- the processing is necessary to pursue a legitimate, primarily business-related, interest.
ERGOMED will inform data subjects of the purpose for which it processes their personal data and the types of third parties to which it may disclose their personal data. Notice will be provided in clear language when data subjects are first asked to provide personal data to ERGOMED, or as soon as practicable thereafter, and in any event before ERGOMED processes the personal data for a purpose other than for which it was originally collected.
ERGOMED may not need to furnish notice where the processing in question is required by applicable laws, court orders or government regulations; or is necessary to protect ERGOMED’s legal interests.
What personal data does ERGOMED collect?
ERGOMED endeavours to use and transfer personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the data subject.
The list below identifies the categories of data subjects that ERGOMED processes:
- potential partners – visitors of our webpages, medical seminars / webinars or events;
- client related persons – legal representative, business persons, project managers;
- vendor related persons – investigators, auditors and lab staff;
- patients and/or drug consumers for drugs already placed at market (including Reporter for drugs placed at market;
- employees and contractors (current, former, consultants and employee candidates); and
- job applicants.
The list below identifies the categories of personal data that ERGOMED collects:
- name and contact information;
- personal data in CV – references, education and employment history;
- ICT related personal data (login / password, IP-address, etc.);
- health related personal data (e.g. patients’ health data);
- GDPR-related personal data – consents, rights requests, etc.; and
- HR-related personal data – employees, contractors and job applicants.
To this effect, ERGOMED processes following personal data while performing below actions and services:
a. Clinical research services: As a global CRO, we collect and analyse health data relating to clinical research subjects, on behalf and according to the directions of our clients (sponsors of clinical research). To stay compliant with Good Clinical Practice, all clinical research subjects’ personal data and samples are only processed in pseudonymised form i.e. neither their name nor other direct identifiers will be recorded at ERGOMED, instead only a number and/or a letter code, possibly together with their year of birth. The code which is required to match the coded data with clinical research subjects’ name will be kept confidential and will stay only at the investigational site with the investigator (clinical research doctor). Only investigators, other research teams and authorized ERGOMED’s personnel, such as study physician, auditors and monitors, may access the complete clinical research subjects’ medical records at the investigational sites. The processing of clinical research subjects’ personal data is based on their explicit consent, obtained by the investigator or other research team upon written contract between Ergomed and site. Generally, all health and clinical data processing by ERGOMED is done according to the contract with ERGOMED’s sponsor, whereas the sponsor is considered as the data controller and is ultimately in charge of why and how this data is processed, whereas ERGOMED is data processor and acts upon the sponsor’s instructions. In cases when children (the age requirements vary from country to country) are involved in research, ERGOMED processes their personal data only after obtaining explicit consent from their parents or legal guardians.
ERGOMED collects CVs of investigators and other research team with the aim of identifying their potential participation in clinical research, as well as their financial information to support the payment of their services. ERGOMED keeps personal data of investigators and research teams on the basis of an executed contract or of ERGOMED’s legitimate interest to continue future cooperation with them.
ERGOMED also conducts qualification of research sites and vendors to ensure they have sufficient capacity to timely deliver work of a good quality. Part of the qualification review is assessment of CVs and training records. While evaluating the services, ERGOMED also collects contact details of participants in the qualification. Same categories of data would be looked at during the re-assessment process.
b. Pharmacovigilance: According to Good Pharmacovigilance Practice, each Marketing Authorisation Holder (MAH) has to establish an appropriate pharmacovigilance system for the collection, evaluation and notification of safety information relevant to the risk-benefit balance of their medicinal products. ERGOMED performs pharmacovigilance services upon the contract with MAH and on behalf of MAH. MAHs should collect as much information as possible on the suspected medicinal product related adverse events. Therefore, ERGOMED may collect and process on behalf of MAH data that identifies the patient and the reporter (e.g. age, weight, height, health status) as well as personal identification and contact details if a follow-up to the adverse event is required.
ERGOMED also conducts audits of vendors to ensure that they have sufficient capacity to timely deliver work of good quality. Part of the qualification review is assessment of CVs and training records. While evaluating the services, ERGOMED collects also contact details of participant in the qualification. Same categories of data would be looked at during the re-assessment process.
c. Human Resource data: ERGOMED collects personal data of job applicants which are relevant to decide on their employment. ERGOMED may also conduct a background check as well as collect right to work documentation as required by law. Once employed or contracted as a consultant on a freelance basis, ERGOMED collects relevant data for human resource, performance, payroll and tax purposes. ERGOMED may keep employees’ and consultants’ training records in the contexts of performing their contract with ERGOMED.
ERGOMED may transfer its employees’ and consultants’ CVs to regulatory institutions, clients and partners when required by regulation or contracts with clients, or during the negotiation phase before execution of contract, while considering business cooperation.
NOTE: Please pay attention! ERGOMED is partnering with SmartRecruiters and is using its recruitment software platform. Keep in mind that there are specifics with regards to personal data processing for job seekers using SmartRecruiters’ Recruiting Software (elaborated in detail in the following section: Recruiting Software – SmartRecruiters).
Recruiting Software – SmartRecruiters
ERGOMED is using services provided by SmartRecruiters. SmartRecruiters is a technology services company which provides a recruitment software platform to other businesses. This software helps Ergomed to publicise its roles, manage its interaction with candidates, assess suitability and manage the offer process.
Please be aware that you may be required to set up a personal account (“Candidate Portal”) which allows you to manage different job opportunities and track your applications of several Employers (one of them potentially being ERGOMED). In your Candidate Portal, which is accessible on https://my.smartrecruiters.com/, you may register through the email you received after applying, or if your consent was requested. This is operated by SmartRecruiters for which it is responsible. The registration requires your email address and a password. Your profile will be made available and visible to the Employer to which you applied. You will receive job alerts from the Employers to which you applied. In order to provide world-class services to you and the Employer, SmartRecruiters uses third-party providers to help perform statistical analysis, technical support, and data hosting. Your application information will be collected by SmartRecruiters and be made available to you through the Candidate Portal. SmartRecruiters will never sell, rent, or lease the collected Personal Data.
Please note that SmartRecruiters will collect the following data from you:
- Data that you input during the application process or job alert creation (such as contact information, experience and education, attachments and answers to screening questions.
- Your IP Address;
- Your login information (email address and encrypted password) for your Candidate Portal; and
- Cookies, which allow SmartRecruiters to know how their services are accessed and used.
From the ERGOMED perspective, your collected and processed personal data shall be stored for a period of 12 (twelve) months after collection. You may be contacted by Ergomed during this time about relevant job vacancies that become available. After 12 (twelve) months you will be contacted directly from ERGOMED and asked to explicitly opt-in if you want your data still to be used and stored by ERGOMED. Only if you explicitly agree, ERGOMED will continue to process your data. If you do not explicitly agree (opt-in) all of your data collected and stored shall be deleted in line with established procedures within the Company. During the 12-month period you may request deletion of your data at any time.
How personal data will be collected?
Your personal data will be collected primarily from you – through the online forms (our websites or via other channels) or paper forms, your visit card, emails, phone calls, application / recruitment process and others. We may possibly receive your personal data from a third party, too (for example from a recruitment company). Further information will be obtained directly from you during the course of your engagement with us, for example through communication with you.
In conducting clinical research, ERGOMED sources personal data of investigators and research teams from ERGOMED’s databases, indirectly from public sources, data brokers and reliable referrals.
The use of the cookies, Google analytics & plugins
Please note that you can find sharing buttons on our websites (for Facebook, Twitter etc.). Once you use these buttons you will be linked to the social media websites with their own privacy policies (they are not our personal data processors).
Finally, ERGOMED uses a variety of security measures (physical, organizational, electronic, and technical) to enhance the security of personal data processing – both internally and on webpages to secure any personal information from loss, misuse, unauthorized access or disclosure, alteration or destruction.
ERGOMED operates in compliance with detailed policies and procedures. We put in place appropriate, industry accepted controls and measures to mitigate and manage the risk, including but not limited to: security policy, physical and logical security, access control, firewalls including IPS, data encryption, anti-malware scanners, security patching, backups & DRPs and staff training.
ERGOMED archives and processes some documents containing personal data in hard-copy formats. All such documents are stored in lockable cabinets with access granted only to personnel on a need-to-know basis. ERGOMED ERGOMED has implemented various safety measures in case of a fire, such as, smoke detectors and fire-fighting equipment.Furthermore, our offices are supplied with shredders, in order to secure proper disposal of data and preventing unauthorised access to files containing confidential and personal data.
In addition, we have implemented an access control system, by installing card-access at entrance doors to our premises. No biometric data, such as the fingerprints of the users of these cards, are being processed. Also, at the entrance of some of our offices, parking lots and in front of server rooms we installed CCTV (security cameras systems) for the purpose of crime prevention and protecting monitoring server rooms’ access. None of such surveillance is aimed to record ERGOMED employees’ performance. We have displayed warning signs within the area captured by CCTV.
Disclosure and transfer of personal data
ERGOMED will not trade in any way with your personal data. Generally, all information collected through our websites will be sent through to company mailboxes and further processed in the company’s internal network. Our clients and patients use the standard channels of communication to provide us with the personal data for research. We use selected contract-based processors for the processing your personal data which assure the same level of your personal data security as we do.
All companies within ERGOMED Group have executed Intercompany Personal Data Processing Agreement with purpose to create a common policies and procedures for all ERGOMED Group to comply with data protection legislation while processing and transferring personal date between themselves and with third parties.
The cross-border transfer of personal data to a third country (country which is neither an EU member nor an EEA member and which do not ensure an adequate level of data protection as per GDPR) will be carried out by ensuring compliance with all the formalities and procedures reasonably required by the GDPR, such as execution of a Standard Contractual Clauses obtaining written explicit consent of data subjects, etc.
Until the end of 2020, the UK is bound by EU Legislation and still considered as the Member State within the Community (with established and accepted appropriate level of data protection). In In consideration of future changes, this Policy will be further amended accordingly.
For how long does ERGOMED store personal data?
Generally, we will retain your personal data during the statutory (including fiscal) retention periods and limitation periods. If such periods do not apply to the relevant personal data, we will keep your personal data for no longer than is necessary for the purposes for which the personal data is processed, unless the law requires us to hold your personal data for a longer period, or delete it sooner, or unless you exercise your right to have your data erased and we do not need to hold it in connection with any of the reasons permitted or required under the law.
Your IP-address, collected during your website visits, will be deleted as soon as possible, unless there are legitimate security reasons for keeping it.
Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address to ensure that we do not send you marketing emails in future.
At the end of the retention period, your data will be reviewed and deleted, unless there is a specific legitimate reason for keeping it.
a. Retention in clinical trials: Regulation (EU) no 536/2014 of the European Parliament and of the Council on clinical trials on medicinal products for human use and repealing Directive 2001/20/EC regulates that unless other Union law requires archiving for a longer period, the sponsor and the investigator will archive the content of the clinical trial master file for at least 25 years after the end of the clinical trial. Though ERGOMED may only retain the trial master file if and as long as agreed with the sponsor for each specific research and in line with local regulatory requirements.
b. Retention in pharmacovigilance: For services provided within the EU, Commission Implementing Regulation (EU) No 520/2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council states that MAH will arrange for the pharmacovigilance system master file to be kept for at least 5 years after the system as described in the pharmacovigilance system master file has been formally terminated by the MAH. Pharmacovigilance data and documents relating to individual authorized medicinal products will be retained for as long as the product is authorized and for at least 10 years after the marketing authorization has ceased to exist. However, the documents will be retained for a longer period where Union law or any national law so requires.
What are your rights and obligations regarding your personal data?
With regard to your personal data that ERGOMED processes, you have the right to:
- be informed – this means that you will be informed that ERGOMED started the processing of your personal data;
- access – this means that you have the right to access the personal data ERGOMED keeps about you;
- rectification – should any data ERGOMED keeps about you be incomplete or inaccurate, you have the right to request ERGOMED to correct it;
- erasure – you have the right to ask ERGOMED to erase your personal data from ERGOMED’s systems where you believe there is no reason for ERGOMED to continue processing it;
- restriction of processing – in certain cases you have the right to obtain from ERGOMED restriction of processing;
- object to processing – in case of your particular situation and if ERGOMED relies on a legitimate interest as the legal basis for the processing of your personal data, you have the right to object to processing;
- portability – this means that you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit those data to another party.
- withdraw the consent given – this means that you can withdraw your consent (if previously given) at anytime, without affecting the lawfulness of any processing based on consent before its withdrawal. However, in certain cases the processing of your personal data is also based on another legal basis and in such case ERGOMED will continue using your personal data;
- not to be subject of the decision based solely on automated processing – this means that ERGOMED may not make any decision based solely on automated processing. ERGOMED does not process the personal data in this way.
ERGOMED reserves the right to charge in some cases a reasonable fee to cover costs for accommodating your requests.
Furthermore, you have the right to lodge a complaint with your national data protection authority. All these rights are subject to the conditions as laid down in the GDPR.
You have the right to ask us not to process your personal data for marketing purposes. We will usually upfront inform you if we intend to use your data for such purposes or if we intend to disclose your data to any third party for such purposes.
While conducting clinical research, ERGOMED has no direct relationship with clinical research subject. Therefore, clinical research subjects who participate in the clinical research should address all their requests and inquiries to the investigator or sponsor of the clinical research.
What if you do not want to provide us with your personal data?
Finally, what happens if you do not want to provide ERGOMED with your personal data? Providing appropriate personal data is a precondition for specific services, such as the performance of an executed contract, the possibility to apply successfully for a job, or where there is a legal obligation to process the personal data. Failure to provide specific personal data may affect ERGOMED’s ability to enter into a contract with you, to contact you and/or to proceed with the selection procedure (e.g. investigator, reporter, job applicant, etc.).
Contact, questions and further information