Privacy Shield Statement

Last revised on 10 May 2019

IDDI Inc. has subscribed to the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. IDDI Inc. adheres to the Privacy Shield Principles including the Supplemental Principles, for personal data received from entities in the European Economic Area, the United Kingdom and Switzerland.

This IDDI Privacy Shield Statement together with the IDDI Public Privacy Statement, the IDDI Privacy Statement for Candidates and the IDDI Privacy Statement for Employees describe the privacy practices that we implement for personal data received from the EEA, the United Kingdom or Switzerland in reliance on the Privacy Shield.

If there is any conflict between the terms in this Privacy Shield Statement and the Privacy Shield Principles as concerns the personal data received under the Privacy Shield, the Privacy Shield Principles shall govern to the extent of the conflict. To learn more about the Privacy Shield program visit www.privacyshield.gov, and to view our certification, please visit https://www.privacyshield.gov/list.

1.    Notice and choice

IDDI’s Public Privacy Statement describes how we use personal data in the context of our normal business activities when acting as a data controller; this statement is available on our website. IDDI Privacy Statement for Candidates describes how we treat personal data received from job applicants; this statement is also available on our website. IDDI Privacy Statement for Employees describes how we process personal data in the context of an employment relationship, this statement is communicated to all our employees and available on request.

Each statement explains how data subjects can exercise their rights, including the right to access their data, and how to express their choices.

IDDI also processes personal data on behalf of its customers (data controllers) in the context of its clinical research services related to patient randomization, drug supply management, electronic data capture, data management, biostatistical analysis, IDMC and medical writing. In the context of these activities where IDDI acts as a processor, the notice and choice duties are with the responsible data controllers.

2.   Accountability for onward transfers

IDDI has responsibility for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. IDDI shall remain liable under the Privacy Shield Principles if its agent processes such personal data in a manner inconsistent with the Privacy Shield Principles, unless IDDI proves that it is not responsible.

When acting as a processor IDDI will obtain the approval of the data controller prior to any onward transfer to third parties.

3.    Security

IDDI will employ reasonable and appropriate technical, administrative and physical safeguards to protect personal data in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal data IDDI is processing.

4.    Data integrity and purpose limitation

We only collect personal data that is relevant to our activities and services. We process personal data as notified through one of our Privacy Statements or otherwise agreed with our customers. We take reasonable steps to ensure that the personal data received under the Privacy Shield is accurate, complete, and current.

5.    Access rights

Our different Privacy Statements explain how you may access or submit requests to review, correct, update or delete personal data. You may also ask us to exercise your access rights by sending a written request to dataprivacy@iddi.com

We may limit or deny access to personal data where providing such access is unreasonably burdensome, expensive under the circumstances, or as otherwise permitted by the Privacy Shield Principles.

Where IDDI processes data on behalf of its customers, such access requests must be addressed to the responsible data controllers. IDDI will support its customers in responding to such requests.

6.    Recourse, Enforcement and Liability

If you have any questions or concerns, please write to us at the address listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data in accordance with the Privacy Shield Principles in a timely manner.

You may also introduce a complaint with the relevant EU Data Protection Authority (“DPA”) or the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). IDDI has committed to cooperate with the relevant national DPA’s and to comply with the decisions of the DPA panel and the FDPIC. The services of EU DPAs are provided at no cost to you.

Please note that if your complaint is not resolved through any of the above channels a binding arbitration option may be available before a Privacy Shield Panel.

For additional information please see:

https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint

The Federal Trade Commission has jurisdiction over IDDI’s compliance with the Privacy Shield.

7.    How to contact us

You can contact us by mail on dataprivacy@iddi.com, or write to the following address:

IDDI Inc.

7751 Brier Creek Parkway

Suite 204

Raleigh, NC 27617

Attention: Ms. Linda Danielson

8.    Changes to this Privacy Shield Statement

This Privacy Shield Statement may be changed from time to time, consistent with the requirements of the Privacy Shield and in accordance with the IDDI Public Privacy Statement. You can determine when this Privacy Shield Statement was last revised by referring to the “Last Revised” date at the top of this document.