EU-U.S. and Swiss-U.S. Privacy Shield Statement

Effective: August 14, 2020

This EU-U.S. and Swiss-U.S. Privacy Shield Statement (Privacy Statement) sets for the principles that Metrum Research Group, Inc. (MetrumRG) follows in connection with the transfer of personal information from the European Union (EU), the United Kingdom (UK) and Switzerland to the United States of America.

Scope
MetrumRG complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. MetrumRG has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

Types of Data and Purpose of Processing
MetrumRG receives personal information, such as health information, related to clinical trial participants from sponsors of clinical trials for the purposes of providing services and solutions in decision informatics, such as the building of mathematical models and simulators. In this capacity, MetrumRG is the data processor of client-controlled data. The data that we receive from clients are typically key-coded and cannot reasonably be used to identify an individual. This Privacy Statement applies to personal data transferred out of the EU, UK, or Switzerland to the United States to the extent the transferred data are not key-coded as outlined under the Privacy Shield Supplemental Principle 14. Pharmaceutical and Medical Products. Upon completion of services using the personal data provided to us, the data are destroyed, stored and/or returned to the client according to our formal procedures and the terms of the applicable client agreement(s).

MetrumRG also collects personal information about visitors to our website. For example, individuals who request information about MetrumRG services may be asked to provide personal information in order to receive the requested information. Further information regarding our website privacy practices are available here: https://metrumrg.com/website-privacy.

Choice and Access
In accordance with the Privacy Shield Principles of Choice and Access, MetrumRG supports the individual’s rights to access, to limit use, to limit disclosure, to correct, to amend, or to delete their personal data. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@metrumrg.com.

As the data processor of client-controlled data, MetrumRG does not hold information that would allow MetrumRG to directly identify clinical trial subjects. MetrumRG agrees to support our clients in responding to such inquiries regarding choice and access.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@metrumrg.com.

Accountability for Onward Transfer
We do not transfer any data to third parties, but if we were to, MetrumRG is responsible for the processing of personal information it receives and subsequently transfers to a third party acting as an agent on its behalf. MetrumRG remains liable under the Privacy Shield if its agent processes such personal information in a manner inconsistent with the Principles, unless MetrumRG proves that it is not responsible for the event giving rise to the damage.

Security
MetrumRG uses appropriate technical, organizational and administrative security measures to protect information we hold from loss, misuse, unauthorized access, disclosure, alteration or destruction. Our security measures may include:

  • Pseudonymization of data prior to its transfer to MetrumRG
  • Encryption
  • Written security and privacy policies
  • Enactment of Standard Contractual Clauses
  • Regular cybersecurity training for employees
  • Other industry standard security and privacy controls

Data Integrity and Purpose Limitation
Consistent with the Privacy Shield Principles, the personal information that MetrumRG receives from its clients is limited to that which is relevant for providing services. MetrumRG’s clients who are the sponsors of clinical trials are required by law to obtain informed consent from trial subjects for their personal information to be collected and analyzed. MetrumRG uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. To the extent necessary for those purposes, MetrumRG takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. MetrumRG agrees to adhere to the Privacy Shield Principles for as long as it retains such information.

Recourse, Enforcement, and Liability
In compliance with the Privacy Shield Principles, MetrumRG commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the Privacy Shield. EU, UK, and Swiss individuals with Privacy Shield inquiries or complaints should first contact MetrumRG at: privacy@metrumrg.com.
MetrumRG has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

MetrumRG’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

MetrumRG may be required to disclose personal information received from the EU, UK, and Switzerland in reliance on the Privacy Shield in response to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements.