Maxis Clinical Sciences Website Cookie Policy
The purpose of this policy is to ensure that Maxis Clinical Sciences, LLC (“Maxis Clinical Sciences”) meets its legal, statutory and regulatory obligations under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and in the Data Subjects’ best interest.
Maxis Clinical Sciences is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the UK Data Protection Act 2018 and other applicable laws governing the processing of personal data (the “Data Protection Laws”).
Maxis Clinical Sciences may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective
and past), Investigator and other sites staff, clinical trial participants and sponsors of clinical trials where Maxis Clinical Sciences provides contracted clinical trial services to clients, visitors to the website, or any other individual that Maxis Clinical Sciences has a relationship with or may need to contact.
Data is transferred outside the UK on the basis of declaration of adequacy.
Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Maxis Clinical Sciences in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Maxis Clinical Sciences Data Protection standards and to comply with international regulations governing Data Privacy. When Maxis Clinical Sciences process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Maxis Clinical Sciences). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only
when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union or the UK. The policy also describes how any data breaches will be investigated and reported and protects the rights of all individuals who may have personal information collected by Maxis Clinical Sciences.
This document is relevant to all employees, directors and representatives of Maxis Clinical Sciences, and those contracted to perform tasks on behalf of Maxis Clinical Sciences. It is the responsibility of each employee or contractor to ensure that, at all times, data are collected, handled, stored and disposed of in
compliance with all of the requirements of this policy and the applicable Data Protection Laws.
1. The Principles of Data Privacy
1.1. The General Data Protection Regulation (EU) (2016/679) (“GDPR”) is underpinned by 6 primary principles (Article 5 of the GDPR), as follows:
Processes lawfully, fairly and in a transparent manner.
Collected for specific, explicit and legitimate purposes and not further processed in an impatible manner.
Adequate, relevant, and limited to what is necessary.
Kept accurate and up to date.
Not kept, any longer than is necessary, in a form which permits identification of a subject.
Appropriate organization and security measures ensuring protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Ensure appropriate measures, records and controls are in place to be able to demonstrate compliance.
1.2. Depending on the type of Processing (e.g., contractual or legal obligations, marketing), the type of Personal Data (e.g., data relating to health), and the type of Data Subjects to which the Personal Data related (e.g., children/minors), further principles and obligations may be imposed.
2. Definitions
Authorized Personnel is all employees and consultants of Maxis Clinical Sciences (acting either as Data Privacy Controller or
Data Processor), who are authorized to process or use the Personal Data on the basis of
the tasks assigned to them in the performance of their duties.
Data Privacy Controller is the natural or legal person that determines the purposes, conditions, and means of the Processing of Personal Data — i.e., a company or organization which requires Personal Data. For the purposes of this Policy and with reference to the Processing described therein, the Data Privacy Controller is Maxis Clinical Sciences.
Data Privacy Coordinators are internal focal points, identified for organizational purposes, for the practical and
operational management of the Processing activities (e.g., T&C manager, Legal manager, etc.), therefore a Data Manager is identified inside each Maxis Clinical Sciences departments.
Data Protection Officer (DPO) is an individual either internal or external to the organization tasked with the
following responsibilities: Informing and advising the organization/business and its employees/consultants about their obligations to comply with the data protection laws; Working towards the compliance with this policy and other Data Protection Laws. This may include monitoring specific processes, managing or supervising internal Personal Data protection activities, advising on data protection impact assessments, as well as increasing employees / consultants awareness for data protection and training them on compliance with this policy; Being the first point of contact for supervisory authorities/dispute resolution bodies and individuals whose data is processed.
Maxis Clinical Sciences will ensure that an appropriately trained and qualified individual, or individuals, are assigned as Data Protection Officer. This will be included in the Job Description of the respective employee(s) or consultant(s).
Data Privacy Breach is defined as breach of security in a company, either Data Privacy Controller or Data Processor, which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller, such as cloud service providers or data analytics firms. Maxis Clinical Sciences may act as Data Processor on behalf of Clinical Trial Sponsors. Standard language related to obligations for Data Privacy and Data Processing will be included in Master Services Agreements (MSAs) or specific Data Processing Agreements (DPAs) with Clinical Trial Sponsors.
Data Protections Laws, for the purposes of this document, the collective description of the GDPR, the UK GDPR
the UK Data Protection Act 2018, and any other relevant data protection laws that Maxis Clinical Sciences complies with.
Data Subject is an individual who is the subject of Personal Data.
Personal Data means any information relating to an identified or identifiable natural person (i.e. a Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
An individual natural person can be identifiable, either directly or indirectly. An individual is identifiable if it is possible, also in combination with other Personal Data or through third parties, to distinguish that individual from other members of a group. In some cases, there is no question that an individual can be ‘directly’ identified. A government issued ID, for example, is explicitly and uniquely personal and would always be considered Personal Data. In other cases, a combination of data is required for the data to be deemed Personal Data. Importantly, the data does not need to be already combined, there just needs to be a possibility for it to become combined at some point in the future.
Examples of Personal Data are names, surnames, dates of birth, social security, location or other identifiable personal security information or addresses or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data also includes online identifiers such as IP addresses and mobile device IDs.
Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Personal Data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning physical or mental health and data concerning a natural person’s sex life or sexual orientation (e.g., a medical certificate, clinical chart or case history, an email in which an employee states that he or she is on sick leave, allergies, documentation about injuries, etc.).
Supervisory Authority is an independent entity or independent dispute resolution body that has the duty of hearing, investigating, and ultimately verifying complaints made by Data Subjects on privacy matters. In certain regions, they are also empowered to impose administrative fines and punishments should the complaint be deemed valid, i.e., the company under investigation is found to have violated the applicable Data Protection Laws.
Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, under the direct authority of Maxis Clinical Sciences, or as an independent Data Privacy Controller or joint Data Privacy Controller.
3. Specific Requirements in the State of New Jersey
3.1. General Provisions
This Data Privacy Policy ensures that timely notice is provided whenever confidential information, including but not limited to “personal information” as protected under applicable New Jersey data security laws (N.J. Stat. Ann §§ 56:8-161,-163,-165), has been compromised due to a breach of the company’s internal and external data security measures. The following specific requirements apply:
3.2. General Provisions
For data security breaches involving confidential information that is owned or licensed by a third party, the Data Protection Officer (DPO) shall provide prompt written notice within reasonable timelines to the affected owners and licensors when Maxis Clinical Sciences knows or has reason to know of a breach of its data security measures, or upon learning that confidential information of a resident of the State of New Jersey has been acquired or used by an unauthorized person or for an unauthorized purpose. The written notice shall include:
The date or approximate date of the data security breach and its nature.
The steps that Maxis Clinical Sciences has taken or plans to take relating to the data security breach.
In providing notice to affected owners and licensors, Maxis Clinical Sciences is not required to disclose confidential business information or trade secrets.
3.3. Data Security Breaches Involving Company-Owned or Licensed Information
For data security breaches involving confidential information that is owned or licensed by Maxis Clinical Sciences, prompt written notice shall be provided to the Division of State Police in the Department of Law and Public Safety, and to any affected resident of the State of New Jersey, when Maxis Clinical Sciences knows or has reason to know of the data security breach. The notice shall include:
The date or approximate date of the data security breach and its nature.
The approximate number of residents of the State of New Jersey affected by the data security breach.
The steps that Maxis Clinical Sciences has taken or plans to take relating to the data security breach.
5. Accountability and Compliance
5.1. Maxis Clinical Sciences has a mission towards compliance with laws and regulations, including applicable Data Protection Laws. Given the nature, scope, context and purposes of the Processing performed, in particular in the context of clinical trials, regulatory services
and study monitoring, Maxis Clinical Sciences has implemented adequate and appropriate technical and organizational measures to ensure the safeguarding of Personal Data and can evidence such measures through documentation and practices.
5.2. The main governance objectives pursued by Maxis Clinical Sciences in relation to data privacy are the following:
Educate Senior Management and Authorized Personnel about mandatory data privacy requirements under the applicable Data Protection Laws;
Identify key stakeholders to support the data protection compliance program; 5.2.3. Make sure that Authorized Personnel and Data Privacy Coordinators have sufficient access, support and resources to perform their duties; 5.2.4. Identify, create, and communicate privacy related matters according to the Privacy Organizational Model; and 5.2.5. Identify and monitor the technical and organizational measures that Maxis Clinical Sciences has implemented to ensure and demonstrate compliance with the applicable Data Protection Laws.
6. Legal Basis for Processing
6.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e., legal basis):
6.1.1. The Data Privacy Controller has obtained the previous consent of the Data Subject and such consent is:
Informed: a complete privacy notice was provided;
Issued following a specific request that must be separate from the rest of the text and provided using clear and plain language;
Freely given: the performance of a contract, including the provision of a service, etc., must not be dependent on the consent;
Expressed and documented: it is however necessary to keep track of the date of issue of consent as evidence.
6.1.2. Processing is otherwise necessary for:
Compliance with a legal obligation or regublation (from UK laws, European laws and regulation and applicable national laws in Europe);
The performance of an agreement or a request made directly by the Data Subject (for example, assistance requested via e-mail or pre-contractual requests);
The protection of the vital interests of the Data Subject or of another natural person; 6.1.2.4. the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Privacy Controller;
The fulfilment of a legitimate interest of the Data Privacy Controller or a Third Party, except where such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child.
7. Information to the Data Subjects
6.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e., legal basis):
The identity and the contact details of the Data Privacy Controller;
The contact details of the DPO;
The purpose(s) of the Processing for which the Personal Data is intended;
The legal basis for the Processing; where the Processing is necessary for the purposes of the legitimate interests pursued by the Data Privacy Controller or by a Third Party, details of the legitimate interests;
The recipients or categories of recipients of the Personal Data; from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources;
If applicable, the fact that Maxis Clinical Sciences intends to transfer the Personal Data to a third country and the existence of an adequacy decision or, in the absence of an adequate decision, reference to the appropriate or suitable safeguards that
Maxis Clinical Sciences has put in place;
The period during which the Personal Data will be stored, or if that is not possible, the criteria used to determine the retention period;
The existence of the right to request access to and rectification or erasure of, Personal Data, restriction of Processing or to object to Processing as well as the right to data portability;
Where the Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of the Processing based on consent before its withdrawal;
The right to lodge a complaint with the Supervisory Authority;
Whether providing Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
The existence of any automated decision-making, including profiling, and explanatory information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
Where Maxis Clinical Sciences intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected.
7.2. Maxis Clinical Sciences has also implemented a website privacy policy and can provide to its users a copy of physical and digital formats upon request. The website privacy policy is the customer facing policy that provides the legal information on how Maxis Clinical Sciences handles, processes and discloses Personal Data of website visitors
8. Rules on Consent
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), where Processing is based on “consent”, Maxis Clinical Sciences
ensures that:
and study monitoring, Maxis Clinical Sciences
has implemented adequate and appropriate technical and organizational measures to ensure the safeguarding of Personal Data and can evidence such measures through documentation and practices.
Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms;
Consent is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes;
Consent is always given by a statement or a clear affirmative action (positive optin) which signifies agreement to the Processing of Personal Data;
Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand;
Pre-ticked, opt-in boxes are not used;
Where consent is given as part of other matters (i.e., terms & conditions, agreements, contracts), Maxis Clinical Sciences ensures that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service);
Along with Maxis Clinical Sciences, details are provided of any other Third Party who will use or rely on the consent;
Consent is always verifiable, and Maxis Clinical Sciences has controls in place to ensure that it can demonstrate consent in every case.
9. Consent Controls
9.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences maintains updated records of Consent to
demonstrate that, where applicable, the Data Subject has consented to Processing of his or her Personal Data.
9.2. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences also implemented the following consent
control mechanisms:
Opt-out links in mailings or electronic communications;
Opt-out process explanation and steps on the company website and in all written communications;
Ability to opt-out verbally, in writing or by email;
Consent withdrawal requests are processed immediately and without detriment;
Where services are offered to children, age-verification and parental-consent measures have been developed and are in place to obtain consent;
Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents;
For Special Category of Personal Data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the Processing purpose(s) always being specified.
10. Register of Processing Activities
Maxis Clinical Sciences keeps a register of the Processing of Personal Data conducted in the capacity of Data Privacy Controller and of Data Processor (‘Register of Processing Activities’), in a clear and easy to read format and readily available to the Supervisory Authority upon request.
Each Data Manager shall promptly report to the DPO any change in the activities performed by their department, which has or may have an impact on the personal data process by such department, so that the DPO can update the Register of Processing Activities.
In the case of new Processing or modifications to existing Processing, the DPO shall be immediately informed so that the Register of Processing Activities can be updated.
Consent withdrawal requests are processed immediately and without detriment;
Where services are offered to children, age-verification and parental-consent measures have been developed and are in place to obtain consent;
Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents;
For Special Category of Personal Data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the Processing purpose(s) always being specified.
11. Third-Party Data Processors and Third-Party Data Privacy Controllers
Maxis Clinical Sciences may instruct Third Parties to perform certain Processing activities on its behalf.
When a Third Party has to be selected for such purpose, Maxis Clinical Sciences: Performs a preliminary privacy audit to assess if such Third Party has implemented adequate organizational and security measures; and records all Personal Data that have to be transferred outside the organization.
The Third Party is then authorized to receive and process that Personal Data by virtue of a data processing agreement whereby the Third Party is entrusted with the duties and responsibility of a Data Processor.
Before transferring Personal Data to a Third Party, Authorized Personnel must verify, with the assistance of the Data Manager of their department, that the selected Third Party is authorized to process the Personal Data to be transferred.
Maxis Clinical Sciences also recognizes that the continued protection of the security of Personal Data and Data Subjects’ rights is a top priority when choosing or maintaining a contractual arrangement with a Third Party. Therefore, audits of Data Processors may be also performed regularly during the contractual relationship with them, with or without cause.
If the Third-Party acts in the capacity of independent Data Privacy Controller (or also of joint Data Privacy Controller), specific clauses governing the data protection responsibilities of each party are included in the written contractual arrangement with such Third Party.
If the Third Party (in the capacity of Data Privacy Controller and Data Processor) is intended to receive from Maxis Clinical Sciences Special Categories of Personal Data, particular care will be taken in the selection of the Third Party and in the assessment of the organizational and security measures implemented by such Third Party.
12 Privacy by Design and Privacy by Default
12.1. When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), Maxis Clinical Sciences utilizes various security mechanisms to
protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction in light of the risks involved in the Processing and the nature of the Personal Data.
Before beginning any Processing of Personal Data, Authorized Personnel – with the support of the Data Manager of their department and, when necessary, of the DPO – will perform an assessment to identify the appropriate technical and
organizational measures to effectively implement the Data Protection principles and obligations;
The aim of the assessment performed is to identify and integrate into the planned Processing on the Personal Data the safeguards required by this Policy and the applicable Data Protection Laws to protect Data Subjects’ rights;
The assessment will take in due consideration the state of the art and the costs of implementation, the nature, sphere of application, context and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects. In
particular, Maxis Clinical Sciences applies the following controls and measures:
Data Minimization: systems, processes and activities are designed to limit the collection and Processing of Personal Data to what is directly relevant and necessary to accomplish the specified purpose. Personal Data shall be regularly reviewed and updated if it is found to be out of date and Personal Data no longer required will be securely disposed of.
Pseudonymization: where possible, pseudonymization techniques are used to record, process and store Personal Data to ensure that it can no longer be attributed to a specific Data Subject without the use of separate, additional information (i.e., a personal identifier).
Encryption:for transferring Personal Data to a Third Party, a secret key is used to make Personal Data inaccessible unless decryption of the dataset is carried out using the assigned key. Encryption is also used to protect the personal identifiers removed after the use of pseudonymization techniques.
Restriction: access to Personal Data is restricted only to Authorized Personnel that needs to have access to such Personal Data to perform their job functions. Personal Data will be maintained securely and will not be disclosed to unauthorized individuals, whether internally or externally.
Training: Maxis Clinical Sciences ensures that Authorized Personnel are trained on this Policy and the applicable Data Protection Laws. The DPO will advise and guide Authorized Personnel and Data Manager on relevant privacy requirements.
All Authorized Personnel, in the context of their assigned tasks and the Processing conducted, must ensure that Maxis Clinical Sciences has implemented technical and organizational security measures appropriate to the potential risks to ensure, by default, that only the Personal Data necessary for the specific purposes of the Processing are processed. In this context, unless it appears from the company documentation that Maxis Clinical Sciences had already approved the Processing, Authorized
Personnel must bring the Processing to the attention of the relevant Data Manager and, if necessary, to the DPO to conduct the necessary impact assessments, to identity potential risks and the organizational and security measures to be taken.
13. Security Measures
Personal Data are protected with appropriate security measures, taking into account the status of technical innovation, their nature and the specific features of the Processing.
Security measures can be defined as all those technical measures, electronic devices and/or computerized application systems, which are used to guarantee the following conditions: Personal Data are not destroyed or lost, accidentally or otherwise; Only Authorized Personnel can access Personal Data on a “need to know basis”; No Processing, which is unlawful or inconsistent with the purposes for which Personal Data were collected, is performed.
In particular, Maxis Clinical Sciences has implemented the following security measures: Risk of Personal Data Breaches are managed through the Data Breach Handling Procedure; Personal Data will be maintained securely, strong passwords will be utilized (and
enforced by the Information Technology policies and infrastructure);Personal Data will not be disclosed to unauthorized individuals, whether internally or externally; Personal Data are regularly reviewed and updated; Personal Data no longer required will be securely disposed of; During a clinical trial, Personal Data are pseudonymized; however, should Personal Data of study participants be inadvertently received from the Hospital Site, an Investigator or other source with identifying information contained within, the Personal Data will be returned to the originating source and a redacted version requested. If would not be feasible, then personal identifiers will be eliminated by Maxis Clinical Sciences from Personal Data to ensure propagation of identifying information does not occur.
14. Legitimate Interests Assessment (LIA)
Legitimate interest may provide a legal basis for Processing unless such interest is overridden by fundamental rights and freedoms of the Data Subjects.
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), prior to Processing Personal Data based on
legitimate interest, the existence of such interest must be carefully assessed, including the expectation of the Data Subject that, at the time and in the context of the collection of Personal Data, a Processing for that specific purpose may take place.
The Legitimate Interests Assessment (hereinafter, “LIA”) is a self-assessment to ensure that the Processing is lawful and complies with the GDPR principles. The LIA includes: purpose test, necessity test and balancing test.
A Records of LIAs and outputs is retained to demonstrate compliance with the GDPR, helping to show the proper decision-making processes in place and to justify the outcome. The LIA will be reviewed and refreshed if there is any significant change in the purpose, nature or context of the Processing. In the event that the outcome of the balancing test shall identify a significant risk, a DPIA to assess the risk and potential mitigation actions will be conducted.
15. Data Protection Impact Assessments (DPIA)
When processing Personal Data of Data Subjects that are resident or based in the European Union or the UK (for example, patients of clinical sites based in the EU/the UK and Maxis Clinical Sciences UK employees), processing involving the use of new technologies and/or where there is a likelihood that such Processing could result in a high risk to the rights and freedoms of Data Subjects. In those circumstances, having regard to the nature, subject, context and purposes of the Processing, Maxis Clinical Sciences performs a prior Data Protection Impact Assessment (DPIA) with the involvement of the DPO.
Carrying out DPIAs enables Maxis Clinical Sciences to identify the most effective way to comply with its data protection obligations, mitigating risks and ensure the highest level of protection to Personal Data processed. It is part of the Maxis Clinical Sciences Privacy by Design approach to assess the impact and risk before carrying out new Processing activities, thus identifying and correcting issues at the source, reducing costs, potential breaches and risks.
Solutions and suggestions are set out in the DPIA and all risks are rated to assess their likelihood and impact. The aim of solutions and mitigating actions is to ensure that the risk is either: eliminated, reduced or accepted.
16. Prior Consultation with the Supervisory Authority
Maxis Clinical Sciences, with the assistance of the DPO, shall consult in advance with the applicable Supervisory Authority if a DPIA indicates that the Processing could result in a high risk of the individuals concerned in the absence of additional organizational and security measures.
17. Data Retention, Storage & Disposal
Maxis Clinical Sciences has defined retention periods according to the applicable Data Protection Laws, Good Clinical Practice (GCP) and Pharmaceuticals laws and regulations.
Paper data are stored in a secure location which prevents access by unauthorized personnel. Access to restricted locations is governed by appropriate authorization mechanisms described in Business Continuity Plan. Electronic data are
stored, secured and backed up according to the requirements of Network and Security Monitoring Policy.
Electronic and paper records are retained in line with Retention of Records
All Personal Data is disposed of in a way that protects the rights and freedom of Data Subjects (e.g., shredding, disposal as confidential waste, secure electronic deletion) and give priority the protection of the Personal Data in all instances.
Any file stored in soft copy on the repositories and servers authorized by Maxis Clinical Sciences must be deleted from the server and any back up or secondary repository upon expiration of the relevant retention period.
18. International Transfers of Personal Data
Transfer of Personal Data from the European Union or the UK is prohibited to recipients or servers located in third countries where the third country jurisdiction is inadequate, appropriate safeguards have not been implemented, or no derogation or
exemption applies (i.e., specific consent is obtained).
If an Authorized Personnel is unsure of the implications of transferring Personal Data outside the European Union or the UK, he/she has to inform the Data Manager and the DPO for the assessment of the specific situation.
Where Personal Data is being transferred outside the European Union or the UK, the transfer is encrypted with a secret key and where possible is also subject to data minimization methods.
Maxis Clinical Sciences has implemented a Privacy Data Transfer Register and Data Privacy Transfer Policy so that tracking is easily available, and authorization is accessible.
19. Reporting and Management of Personal Data Breeches
Whilst every effort and measures are taken to reduce the risk of Personal Data Breaches, Maxis Clinical Sciences has dedicated controls and procedures in place for such situations, including for the notification to the Supervisory Authority and Data Subjects concerned, when applicable.
If a Personal Data Breach occurs, the following actions will be taken: The DPO must be informed within 1 business day if any Authorized Personnel becomes aware of a potential or actual breach, or of a complaint regarding a Personal Data Breach brought by any individual or government agency, and in case of an actual or suspected Personal Data Breach, all Authorized
Personnel must also implement appropriate mitigation actions, as decided by the DPO in relation to the specific situation, and provide assistance to the DPO for the proper investigation, remediation and notification (if applicable) of the
Personal Data Breach.
The DPO will, in particular, carry out a Personal Data Breach investigation to gather any necessary information required in order to make an informed decision regarding the nature of the potential or actual breach, and whether further reporting is required according to the nature, location and severity of the issue.
This Policy is designed to provide global protection of Personal Data. If a potential or actual breach of Personal Data occurs outside of the European Union/UK, the DPO will ensure any local reporting requirements are adhered to. Actual and suspected Personal Data Breaches will be reported to any required body within 72 hours of occurrence of the breach or the different timeline specified under the applicable Data Protection Laws. The DPO will liaise with all internal stakeholders (including, but not limited to, Senior Management, Information Technology and Quality Assurance & Compliance) to ensure the breach is minimized and that the risk of subsequent or repeated Personal Data Breaches are eliminated through a series of corrective and/or preventive actions.
Maxis Clinical Sciences keeps a Data Breach Register. Any and all Personal Data Breaches is recorded into the Personal Data Breach Register that will provide details of: The circumstances of the breach; its consequences; and the measures taken to remedy it.
