Data Privacy Framework Policy

EU-US, AND SWISS-US AND UK EXTENSION FO THE EU-US
DATA PRIVACY FRAMEWORK PRIVACY POLICY

SCOPE

Medical Research Network Inc. (“MRN”) complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) as set forth by the US Department of Commerce.  MRN has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.  MRN has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF.  If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

PERSONAL DATA PROCESSED

MRN in its capacity as the provider of patient and site centric solutions and clinical trial delivery processes personal information, medical and health related information about individuals as clinical research participants and patients who take part in clinical trials.  MRN also processes personal information regarding clinical research sites’ staff/patients’ family members or caregivers and other Health Care Professionals, human resources related information such as information on candidates, employees and contractors, personal information associated with its business partners/customers, vendors/suppliers.

PURPOSES OF PROCESSING

MRN collects, uses and retains personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland:

1. a) for the purposes of clinical trial delivery;
2. b) for customer relationship management, customer service and data analytics purposes;
3. c) for the purposes of recruitment of personnel and contractors and for the purpose of execution, administration and performance of the employment or contract relationship, and
4. d) for the purpose of marketing and business development and other business and promotional activities.

DATA PRIVACY FRAMEWORK PRINCIPLES

1. NOTICE

MRN will not sell or provide your personal information to any third party without notice.  When MRN directly collects personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland, it, as explained below, advises you about the purposes for which the information is collected and used, and your ability to limit the use and disclosure of such information, and how to contact MRN.  This notice will be provided in clear and conspicuous language, either through this privacy statement or other means such as informed consent forms, statements on MRN’s website and other disclosures.

2. CHOICE

Except as otherwise permitted by applicable law, MRN does not use or intend to use your personal information for any purpose (other than that for which it was originally collected) without your consent.

MRN does not disclose personal information to third parties for purposes that are incompatible with the purposes for which it was originally collected.  MRN may transfer personal information to third parties who act for or on behalf of MRN, or in connection with the business of MRN, for further processing consistent with purposes for which the data were originally collected.  Where disclosure of personal information to a third party is likely or necessary, further notice may be provided, where appropriate, at such collection points as to the intended use of the data.

3. ONWARD TRANSFERS

To facilitate the above purposes, personal information will be shared with third party service providers and competent authorities and regulatory bodies.  MRN will endeavour to only transfer personal information to a third party where such third party has given written assurances that it provides at least the same level of privacy protection as required by the Data Privacy Framework (“DPF”) Principles and this Policy and will notify MRN if it makes a determination it can no longer meet this obligation.

With respect to transfers of individuals’ Personal Data to third-party processors, MRN: (i) enters into a contract with each relevant processor, (ii) transfers Personal Data to each such processor only for limited and specified purposes, (iii) ascertains that the processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the DPF Principles, (iv) takes reasonable and appropriate steps to ensure that the processor effectively processes the Personal Data in a manner consistent with MRN’s obligations under the DPF Principles, (v) requires the processor to notify MRN if the processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, (vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Data by the processor, and (vii) provides a summary or representative copy of the relevant privacy provisions of the processor contract to the Department of Commerce, upon request.

In certain circumstances, MRN shall remain liable if its agent processes such personal information in a manner inconsistent with the Principles, unless MRN proves that it is not responsible for the event giving rise to the damage.

MRN may be required to disclose personal information received from EEA member countries, the United Kingdom and Switzerland in reliance on the DPF in response to lawful requests by US public authorities and governmental bodies, including to meet national security or law enforcement requirements.

4. RIGHTS TO ACCESS, TO LIMIT USE, AND TO LIMIT DISCLOSURE

In accordance with the Data Privacy Framework, EEA, UK and Swiss residents whose data is collected may have a right to access personal information regarding them, and to limit use and disclosure of their personal information or to object to their personal data being used for any purpose materially different from the purposes disclosed to them or stated within this Privacy Policy, by contacting MRN’s Data Protection Officer (DPO) ([email protected]).

5. SECURITY

MRN takes all appropriate and reasonable measures to protect the personal data covered by this Data Privacy Framework Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of personal information and the risks involved in the processing in accordance with the Data Privacy Framework.

6. ENQUIRIES AND COMPLAINTS

In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, MRN commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK and Swiss individuals with enquiries or complaints regarding our handling of personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF should first contact MRN at: [email protected].

In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, MRN commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF to Jams Inc, an alternative dispute resolution provider located in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit Jams Inc. at: https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint.  The services of Jams Inc. are provided at no cost to you.

7. INVESTIGATION AND ENFORCEMENT

The Federal Trade Commission has jurisdiction over MRN’s compliance with the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF).

8. ARBITRATION

Under certain conditions, more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2, you may invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.

9. HOW TO CONTACT US

To ask questions about this Privacy Policy or to exercise any rights under privacy or data protection laws, please contact us by email at [email protected], or please write to the following address:

Medical Research Network Inc.
Attn: Data Protection Officer
540 Lake Cook Road
Suite 300
Deerfield
IL 60015

10. CHANGES TO THE PRIVACY POLICY

This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for personal information is maintained.  All amendments will be posted on this website.  Please check back periodically for updates to this Policy.

PRIVACY POLICY – EFFECTIVE DATE: 24 May 2024