Privacy Shield Policy Statement
This Policy was last updated on September 29, 2017.
Everest Clinical Research Corporation (Everest) respects the laws for privacy of its employees, clients, vendors and other visitors. Everest receives information from visitors worldwide. The use and disclosure of their personal information is in accordance with their local laws and regulations. This Privacy Shield Policy Statement describes the privacy principles Everest follows regarding transfer of personal information from the European Union (EU) or Switzerland to the United States (U.S.). Everest certifies compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework requirements https://www.privacyshield.gov/list.
Privacy Shield Principles
This Policy applies to all personal information from EU and Switzerland collected and processed by Everest.
Data Protection Principles
Everest understands the importance of protecting the privacy of personal information. We limit the information we collect to what is needed for the purposes for which it was collected, and will only use it for those purposes. Data is retained for as long as it is needed for the purpose it was collected, or as permitted by law.
Data collected to provide the individual with a user account to facilitate participation in a clinical trial conducted by Everest, may be accessed by clinical trial sponsor representatives and applicable regulatory authorities and is provided to the sponsor at the end of the clinical trial. The data may be stored on servers in the U.S. Third party vendors may process and store the data during the clinical trial conduct. When third party vendors are involved, they will ensure that (1) the data may only be processed for the limited and specified purposes consistent with the consent provided by the individual; (2) they will provide the same level of protection to the data as Everest provides; and (3) they will notify Everest if they can no longer meet this obligation. If the third party vendor notifies Everest that they can no longer meet this obligation, the third party vendor ceases processing or takes other reasonable and appropriate steps to remediate. These steps are in place because Everest has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf (e.g. a vendor). Everest shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Everest proves that it is not responsible for the event giving rise to the damage.
Data collected to be included in an investigators registry may be accessed by clinical trial sponsors who are Everest clients.
In the remote case any U.S. Law Enforcement agency requests data to be released, this data will be provided as required by law. Data collected and/or processed by Everest may be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). The FTC has jurisdiction over Everest’s compliance with the Privacy Shield. Everest is required to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements. Everest commits to notify individuals of the requirement to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements, and its liability in cases of onward transfers to third parties.
When data is collected in order to provide the individual with a user account to facilitate participation in a clinical trial conducted by Everest, the data must be retained according to the applicable regulatory requirements. The individual may opt not to participate in the clinical trial before submitting the personal information to Everest.
When data was collected in order to be included in an investigators registry, Everest gives individuals the opportunity to choose (opt out/withdraw consent) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
Accountability for Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, Everest applies the notice and choice principles. Where Everest wishes to transfer information to a third party that is acting as an agent, Everest will also enter into a contract with the third party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Everest if it makes a determination that it can no longer meet this obligation. This contract shall detail the ways in which the third party fulfills these responsibilities.
Everest takes reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
Data Integrity and Purpose Limitation
Personal information collected is relevant for the purposes for which it is to be used. Everest takes reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
Upon request, individuals have access to personal information about them that Everest holds and they can request to have it corrected, amended, or deleted if that information is found to be inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Recourse, Enforcement and Liability
To ensure compliance with the Privacy Shield principles, Everest developed (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments Everest makes to adhere to the Privacy Shield principles are implemented; and (c) obligations to remedy problems arising out of failure to comply with the principles.
The Everest Privacy Officer may be contacted, at the address below, with any questions, concerns, or complaints regarding this Policy. Everest will investigate and attempt to resolve complaints and disputes regarding this Policy.
Brian Wettlaufer, Privacy Officer
c/o Everest Clinical Research Corporation
675 Cochrane Drive, East Tower, 4th Floor
Markham, Ontario, Canada, L3R 0B8
Tel: +1 (905) 752-5208
Fax: +1 (905) 752-5223
Everest has contracted an Independent Recourse Mechanism for dispute resolution at no charge to the individual, in cases when inquiries and complaints were not adequately addressed. https://www.whistic.com/privacyshield/complaints
In addition, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms (see https://www.privacyshield.gov/article?id=ANNEX-I-introduction for additional information).
Changes to this Policy
This policy will be updated as needed to maintain consistency with the requirements of the Privacy Shield Principles and Everest internal privacy requirements.