The purpose of this policy is to ensure that Maxis Clinical Sciences, LLC (“Maxis Clinical Sciences”) meets its legal, statutory and regulatory obligations under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and in the Data Subjects’ best interest.
Maxis Clinical Sciences is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the UK Data Protection Act 2018 and other applicable laws governing the processing of personal data (the “Data Protection Laws”).
Maxis Clinical Sciences may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective
and past), Investigator and other sites staff, clinical trial participants and sponsors of clinical trials where Maxis Clinical Sciences provides contracted clinical trial services to clients, visitors to the website, or any other individual that Maxis Clinical Sciences has a relationship with or may need to contact.
Data is transferred outside the UK on the basis of declaration of adequacy.
Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Maxis Clinical Sciences in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Maxis Clinical Sciences Data Protection standards and to comply with international regulations governing Data Privacy. When Maxis Clinical Sciences process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Maxis Clinical Sciences). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only
when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union or the UK. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Maxis Clinical Sciences.
1.1. The General Data Protection Regulation (EU) (2016/679) (“GDPR”) is underpinned by 6 primary principles (Article 5 of the GDPR), as follows:
1.2. Depending on the type of Processing (e.g., contractual or legal obligations, marketing), the type of Personal Data (e.g., data relating to health), and the type of Data Subjects to which the Personal Data related (e.g., children/minors), further principles and obligations may be imposed.
Authorized Personnel is all employees and consultants of Maxis Clinical Sciences (acting either as Data Privacy Controller or Data Processor), who are authorized to process or use the Personal Data on the basis of the tasks assigned to them in the performance of their duties.
Data Privacy Controller is the natural or legal person that determines the purposes, conditions, and means of the Processing of Personal Data — i.e., a company or organization which requires Personal Data. For the purposes of this Policy and with reference to the Processing described therein, the Data Privacy Controller is Maxis Clinical Sciences.
Data Privacy Coordinators are internal focal points, identified for organizational purposes, for the practical and
operational management of the Processing activities (e.g., T&C manager, Legal manager, etc.), therefore a Data Manager is identified inside each Maxis Clinical Sciences departments.
Data Protection Officer (DPO) is an individual either internal or external to the organization tasked with the
following responsibilities: Informing and advising the organization/business and its employees/consultants about their obligations to comply with the data protection laws; Working towards the compliance with this policy and other Data Protection Laws. This may include monitoring specific processes, managing or supervising internal Personal Data protection activities, advising on data protection impact assessments, as well as increasing employees / consultants awareness for data protection and training them on compliance with this policy; Being the first point of contact for supervisory authorities/dispute resolution bodies and individuals whose data is processed.
Maxis Clinical Sciences will ensure that an appropriately trained and qualified individual, or individuals, are assigned as Data Protection Officer. This will be included in the Job Description of the respective employee(s) or consultant(s).
Data Privacy Breach is defined as breach of security in a company, either Data Privacy Controller or Data Processor, which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller, such as cloud service providers or data analytics firms. Maxis Clinical Sciences may act as Data Processor on behalf of Clinical Trial Sponsors. Standard language related to obligations for Data Privacy and Data Processing will be included in Master Services Agreements (MSAs) or specific Data Processing Agreements (DPAs) with Clinical Trial Sponsors.
Data Protections Laws, for the purposes of this document, the collective description of the GDPR, the UK GDPR
the UK Data Protection Act 2018, and any other relevant data protection laws that Maxis Clinical Sciences complies with.
Data Subject is an individual who is the subject of Personal Data.
Personal Data means any information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
An individual natural person can be identifiable, either directly or indirectly. An individual is identifiable if it is possible, also in combination with other Personal Data or through third parties, to distinguish that individual from other members of a group. In some cases, there is no question that an individual can be ‘directly’ identified. A government issued ID, for example, is explicitly and uniquely personal and would always be considered Personal Data. In other cases, a combination of data is required for the data to be deemed Personal Data. Importantly, the data does not need to be already combined, there just needs to be a possibility for it to become combined at some point in the future.
Examples of Personal Data are names, surnames, dates of birth, social security, location or other identifiable personal security information or addresses or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data also includes online identifiers such as IP addresses and mobile device IDs.
Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Personal Data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning physical or mental health and data concerning a natural person’s sex life or sexual orientation (e.g., a medical certificate, clinical chart or case history, an email in which an employee states that he or she is on sick leave, allergies, documentation about injuries, etc.).
Supervisory Authority is an independent entity or independent dispute resolution body that has the duty of hearing, investigating, and ultimately verifying complaints made by Data Subjects on privacy matters. In certain regions, they are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the applicable Data Protection Laws.
Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, under the direct authority of Maxis Clinical Sciences, or as an independent Data Privacy Controller or joint Data Privacy Controller.
3.1. General Provisions
This Data Privacy Policy ensures that timely notice is provided whenever confidential information, including but not limited to “personal information” as protected under applicable New Jersey data security laws (N.J. Stat. Ann §§ 56:8-161,-163,-165), has been compromised due to a breach of the company’s internal and external data security measures. The following specific requirements apply:
3.2. General Provisions
For data security breaches involving confidential information that is owned or licensed by a third party, the Data Protection Officer (DPO) shall provide prompt written notice within reasonable timelines to the affected owners and licensors when Maxis Clinical Sciences knows or has reason to know of a breach of its data security measures, or upon learning that confidential information of a resident of the State of New Jersey has been acquired or used by an unauthorized person or for an unauthorized purpose. The written notice shall include:
For data security breaches involving confidential information that is owned or licensed by Maxis Clinical Sciences, prompt written notice shall be provided to the Division of State Police in the Department of Law and Public Safety, and to any affected resident of the State of New Jersey, when Maxis Clinical Sciences knows or has reason to know of the data security breach. The notice shall include:
3.4. Notification During Criminal Investigation
Maxis Clinical Sciences collects and stores data from the following sources:
5.1. Maxis Clinical Sciences has a mission towards compliance with laws and regulations, including applicable Data Protection Laws. Given the nature, scope, context and purposes of the Processing performed, in particular in the context of clinical trials, regulatory services and study monitoring, Maxis Clinical Sciences has implemented adequate and appropriate technical and organizational measures to ensure the safeguarding of Personal Data and can evidence such measures through documentation and practices.
5.2. The main governance objectives pursued by Maxis Clinical Sciences in relation to data privacy are the following:
5.2.1. Educate Senior Management and Authorized Personnel about mandatory data privacy requirements under the applicable Data Protection Laws;
5.2.2. Identify key stakeholders to support the data protection compliance program;
5.2.3. Make sure that Authorized Personnel and Data Privacy Coordinators have sufficient access, support and resources to perform their duties;
5.2.4. Identify, create, and communicate privacy related matters according to the Privacy Organizational Model; and
5.2.5. Identify and monitor the technical and organizational measures that Maxis Clinical Sciences has implemented to ensure and demonstrate compliance with the applicable Data Protection Laws.
6.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e., legal basis):
6.1.1. The Data Privacy Controller has obtained the previous consent of the Data Subject and such consent is:
6.1.2. Processing is otherwise necessary for:
7.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), before any Processing (e.g., collection, analysis, processing, updating, modification or erasure) or, if the Personal Data are not provided by the Data Subject, within a reasonable period after obtaining the Personal Data, at the time of the first communication to that Data Subject or when the Personal Data are first disclosed, as the case may be, Maxis Clinical Sciences provides to the Data Subject the following information in the form of a privacy notice:
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), where Processing is based on “consent”, Maxis Clinical Sciences
ensures that:
Consent is always verifiable, and Maxis Clinical Sciences has controls in place to ensure that it can demonstrate consent in every case.
9.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences maintains updated records of Consent to
demonstrate that, where applicable, the Data Subject has consented to Processing of his or her Personal Data.
9.2. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences also implemented the following consent
control mechanisms:
Maxis Clinical Sciences keeps a register of the Processing of Personal Data conducted in the capacity of Data Privacy Controller and of Data Processor (‘Register of Processing Activities’), in a clear and easy to read format and readily available to the Supervisory Authority upon request.
Maxis Clinical Sciences may instruct Third Parties to perform certain Processing activities on its behalf.
12.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences utilizes various security mechanisms to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction in light of the risks involved in the Processing and the nature of the Personal Data.
Before beginning any Processing of Personal Data, Authorized Personnel – with the support of the Data Manager of their department and, when necessary, of the DPO – will perform an assessment to identify the appropriate technical and organizational measures to effectively implement the Data Protection principles and obligations;
The aim of the assessment performed is to identify and integrate into the planned Processing on the Personal Data the safeguards required by this Policy and the applicable Data Protection Laws to protect Data Subjects’ rights;
The assessment will take in due consideration the state of the art and the costs of implementation, the nature, sphere of application, context and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects.
In particular, Maxis Clinical Sciences applies the following controls and measures:
All Authorized Personnel, in the context of their assigned tasks and the Processing conducted, must ensure that Maxis Clinical Sciences has implemented technical and organizational security measures appropriate to the potential risks to ensure, by default, that only the Personal Data necessary for the specific purposes of the Processing are processed. In this context, unless it appears from the company documentation that Maxis Clinical Sciences had already approved the Processing, Authorized
Personnel must bring the Processing to the attention of the relevant Data Manager and, if necessary, to the DPO to conduct the necessary impact assessments, to identity potential risks and the organizational and security measures to be taken.
Maxis Clinical Sciences, with the assistance of the DPO, shall consult in advance with the applicable Supervisory Authority if a DPIA indicates that the Processing could result in a high risk of the individuals concerned in the absence of additional organizational and security measures.
GDPR grants various rights to the Data Subjects whose Personal Data are processed:
RIGHT | DESCRIPTION |
---|---|
Right of Access | It is the right to obtain confirmation of the existence of, and a copy of, the Personal Data, including information on: what Personal Data is being processed; the purposes for which the Personal Data is being processed; – the existence of the right of limiting use and disclosure of Personal Data; – the envisaged period for which the Personal Data will be stored or, where not possible, the criteria used to determine that period; who, if anyone, the Personal Data is disclosed to; and If Personal Data is used for the purpose of making automated decisions relating to the Data Subject and, if so, what logic is being used for that purpose. |
Right to Rectification | It is the right to have inaccurate or outdated Personal Data corrected and supplemented. |
Right to Erasure / Right to be Forgotten | t is the right to have the Personal Data erased. |
Right to Restriction of Processing | It is the right to have the use of the Personal Data restricted (e.g.,termination of use of the Personal Data for market analysis purposes). |
Right to Data Portability | It is the right to obtain in a structured format, in common use and readable by an automatic device, the Personal Data provided, and the right to transmit the said Personal Data to another Data Privacy Controller. |
Right to Object | It is the right to have Personal Data Processing terminated under certain circumstances (e.g., when the Processing of Personal Data relies on legitimate interest). |
Right not to be Subject to a Decision Based Solely on Automated Processing | It is the right to not be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning the relevant Data Subject or similarly significantly affects him or her. |
Right to Withdraw Consent | It is the right to withdraw the consent previously given at any time |
Maxis Clinical Sciences commits to resolve inquires and complaints about its Processing of Personal Data in compliance with this Policy and applicable Data Protection Laws. Individuals with inquiries or complaints regarding this Privacy Policy may first contact Maxis Clinical Sciences at [email protected]
Any breaches of this Policy must be reported to the relevant Data Manager, Senior Management and the DPO at [email protected]
Effective Date 01 Nov 2023
Confidential and Proprietary.