This Policy was last updated on October 13, 2022.
The purpose of this policy is to explain the collection and handling of personal information at Everest.
Everest Clinical Research Corporation (Everest) respects the laws for privacy of its employees, clients, vendors and other visitors. Everest is committed to providing our visitors with a website that respects their privacy. Some pages on our website require personal information to be collected from our visitors so we can provide them with information or services they have requested. The use and disclosure of their personal information is in accordance with their local laws and regulations, including Data Protection regulations.
In addition, for the collection, use, and retention of personal information transferred from the European Union and United
Kingdom, Everest complies with the EU GDPR (General Data Protection Regulation) and the United Kingdom’s Data Protection
Act 2018 (the "UK GDPR"), and has Data Transfer Agreements in place with its clients and vendors.
Data Protection Principles
Personal Information provided to Everest may be used for the following purposes, each a “Purpose”:
- To respond to your request about a career opportunity.
- To deliver services and information about Everest that you request.
- To provide you with access to protected areas of the Everest website.
- To provide you with a user account to facilitate your participation in a clinical trial conducted by Everest.
- To include your information in an investigators registry so that it may be provided to Everest clients for consideration to participate in their Clinical Trials.
We will obtain your consent if we wish to use your information for any other Purpose. We will not release your personal information to other persons unless one of the following conditions apply:
- Where we have your consent.
- Where we are required by law, regulation, subpoena, or judicial or government order to be disclosed, provided Everest shall promptly notify you upon such request for disclosure and prior to such disclosure to permit you to oppose such disclosure by appropriate legal action.
Everest is the owner of all information collected on this website. If your personal information is collected and processed for the Purpose of your participation in a clinical trial, the clinical trial sponsor is the owner of this personal information collected. Everest processes this personal information according to the written agreement between Everest and the clinical trial sponsor.
Everest understands the importance of protecting the privacy of personal information. We limit the information we collect to what is needed for the Purpose, and we will only process it for the Purpose. Data is retained for as long as it is needed for the Purpose, or as permitted by law.
Personal information collected may include your name, email address, home or business address and phone number, current position title, and IP address (through navigation on our website). Our website collects personal information from you in the following ways:
- You may submit your personal information in response to a career opportunity within Everest.
- You may provide your personal contact information so that we can provide you with information to a specific request or service.
- In submitting a request for access to protected areas of our website, you will be required to provide personal contact information.
- If registering in our Investigator Registry, you will be required to provide personal contact information.
- While navigating through the Everest website, information is collected electronically for analytical purposes; information collected includes IP address, browser type, operating system, and access times. This information is collected so that we may analyze usage in an effort to continually improve our website and user engagement.
Data collected to provide the individual with a user account to facilitate participation in a clinical trial conducted by Everest may be accessed by clinical trial sponsor representatives and applicable regulatory authorities and is provided to the clinical trial sponsor at the end of the clinical trial. The Data may be stored on servers in Canada, U.S.A., and Germany. Third party vendors may process and store the Data during the clinical trial conduct. When third party vendors are involved, they will ensure that (1) the Data may only be processed for the limited and specified Purposes consistent with the consent provided by the individual; (2) they will provide the same level of protection to the Data as Everest provides; and (3) they will notify Everest if they can no longer meet this obligation. If the third party vendor notifies Everest that they can no longer meet this obligation, the third party vendor ceases processing or takes other reasonable and appropriate steps to remediate. These steps are in place because Everest has responsibility for the processing of personal information it receives under the EU-US and Swiss-US Privacy Shield Framework and the subsequent transfers of such personal information to a third party acting as an agent on its behalf (e.g., a vendor). Everest shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Everest proves that it is not responsible for the event giving rise to the inconsistency. Procedures are in place to ensure privacy breach incidents are communicated and followed up consistent with all applicable regulatory requirements, and according to Everest’s Policy EV.102 “Operational Policies Covering Confidentiality, Privacy, and Security”.
Data collected through the Investigator Registry information gathering page may be accessed by clinical trial sponsors who are Everest clients.
In the unlikely event that a U.S. Law Enforcement agency requests Data to be released, this Data will be provided as required by law. Data collected and/or processed by Everest may be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). The FTC has jurisdiction over Everest’s compliance with the EU-US and Swiss-US Privacy Shield Framework. Everest is required to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements. Everest commits to notify individuals of the requirement to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements, and its liability in cases of onward transfers to third parties.
The choice to provide Everest with personal information is always yours. When Data is collected in order to provide the individual with a user account to facilitate participation in a clinical trial conducted by Everest, the Data must be retained according to the applicable regulatory requirements. The individual may opt not to participate in the clinical trial before submitting the personal information to Everest.
When Data is collected to be included in an Investigator Registry, Everest gives individuals the opportunity to choose (opt out/withdraw consent) whether their personal information will be disclosed to a third party or used for a Purpose incompatible with the Purpose for which it was originally collected or subsequently authorized by the individual.
Accountability for Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, Everest applies the Notice and Choice Principles. Where Everest wishes to transfer information to a third party that is acting as an agent, Everest will also enter into a contract with the third party that provides that such Data may only be processed for limited and specified Purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Everest if it makes a determination that it can no longer meet this obligation. This contract shall detail the ways in which the third party fulfills these responsibilities.
Everest has implemented appropriate technical, physical and organizational measures designed to protect personal information against accidental loss, misuse, alteration, unauthorized access, disclosure, unauthorized and unlawful destruction, and any forms of unlawful processing.
Data Integrity and Purpose Limitation
Personal information collected is relevant for the Purposes for which it is to be used. Everest takes reasonable steps to ensure that Data is reliable for its intended use, accurate, complete, and current.
Upon request, individuals have access to their personal information that Everest holds and they can request to have it corrected, amended, or deleted if that information is found to be inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. This request can be made to the Everest Privacy Officer. Access will be provided only when the individual’s identity is confirmed.
Recourse, Enforcement and Liability
The Everest Privacy Officer may be contacted with any questions, concerns, or complaints regarding this Policy. Everest will investigate and attempt to resolve complaints and disputes regarding this Policy.
If the communication with the Privacy Officer has not provided adequate resolution, Everest has contracted an Independent Recourse Mechanism for dispute resolution at no charge to the individual. To ensure compliance with the Privacy Shield Principles, Everest developed: (a) a readily available Independent Recourse Mechanism, https://www.jamsadr.com/eu-us-privacy-shield, so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures to verify Everest’s commitments to adhere to the Privacy Shield Principles are implemented; and (c) obligations to remedy problems arising out of failure to comply with the Principles.
In addition, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding EU-US and Swiss-US Privacy Shield Framework compliance not resolved by any of the other EU-US and Swiss-US Privacy Shield Framework mechanism (see ANNEX I for additional information).
Protection of California User’s Personal Information
On June 28, 2018, California passed a new privacy bill, AB 375, known as the California Consumer Privacy Act of 2018 (“CCPA”). This Act is Effective as of January 1, 2020. Everest is providing this supplemental privacy notice to California users pursuant to the CCPA. The CCPA grants California residents the following rights:
- Information. You can request information about how Everest has collected, used and shared your personal information during the past 12 months.
- Access. You can request a copy of the personal information that Everest maintains about you.
- Deletion. You can ask to delete the personal information that Everest maintains about you.
- Opt-out of sale of your personal information. While Everest does not engage in any Sale of personal data in the context of our processing, we offer instructions on how to limit online tracking.
- Please note that the CCPA limits these rights by, for example, prohibiting businesses from providing certain sensitive information in response to an access request and limiting the circumstances in which they must comply with a deletion request.
- You are entitled to exercise the rights described above free from discrimination.
To submit a request, please contact the Everest Privacy Officer. See below for contact details.
Protection of Children's Personal Information
Everest recognizes the importance of protecting the privacy of children. We do not knowingly collect personal information from children under the age of 16. If we become aware of collecting information through our website(s) from a child under the age of 16, we will delete that information immediately. The Parent(s)/Guardian(s) may contact us if it is believed that we might have any information from a child under 16.
You always have the right to decline our cookies by modifying your web browser preferences to reject cookies (e.g., in Google Chrome, navigate to “Settings” →“Advanced”→“Privacy and security”→“Site Settings”→“Permissions”→ “Cookies and site data” to modify settings), although this may adversely affect the usability of the site. You will be presented with a pop-up screen requiring consent to store the cookies on your device. If you click “I Accept” or continue to navigate our website, you agree to having those cookies set on your device.
Changes to this Policy
This policy will be updated as needed to maintain consistency with privacy laws and regulations and Everest internal privacy requirements.
Everest Privacy Officer
The Everest Privacy Officer may be contacted for any privacy related questions or complaints:
Brian Wettlaufer, Privacy Officer
c/o Everest Clinical Research Corporation
675 Cochrane Drive, East Tower, 4th Floor
Markham, Ontario, Canada, L3R 0B8
Tel: +1 (905) 752-5208
Fax: +1 (905) 752-5223