Processing of personal data
2018-05-25 – The following policy has been established for Scandinavian CRO AB (the ”Company”):
1. BACKGROUND
In most cases, it is our client, ie. the company, authority or organization that uses our services, who is the controller, which means that it has the ultimate responsibility for the processing of your personal data and the preservation of your rights. If you are, or have been, part of a clinical study you can, in your documented informed consent, find out who is the controller regarding your personal data. You can also contact us in accordance with the contact details in section 6 below, and we can guide you to the relevant controller.
The Company has, through agreements with our clients, been commissioned to collect and process personal data on their behalf, and we fulfill this task in the capacity of a processor. In some cases, the Company itself operates as a controller. This applies when we collect and process personal data for our own account, such as in relation to employees or in connection with marketing.
We do not process more personal data than is necessary for the purpose, and we always strive to use the least privacy-sensitive information.
The processing of employee’s and former employee’s personal data is specifically regulated in an internal policy.
2. PURPOSE
We protect your privacy and you should be able to feel safe when you entrust us with your personal data. Therefore, we have established this policy based on current data protection legislation to clarify how we work to defend your rights and your integrity.
The purpose of this policy is to inform you about how we process your personal data, what we use it for, who will get access to it and under what conditions and how you can exercise your rights.
3. GUIDELINES
WHAT TYPES OF PERSONAL DATA DO WE PROCESS?
We only process personal data when we have a legal ground and, when we operate as a processor, only when we have explicit instructions from our client. We do not process personal data in any case other than when they are required to fulfill our obligations under law and agreements or based on legitimate interests.
The types of personal data that we process as a processor are primarily the following:
- Age
- Information regarding genetics
- Information regarding health and sickness
- Study code
- Subject number/patient number
- Photos/pictures/radiography
- Information that you publish yourself or otherwise provide to us voluntarily including details regarding your health (i.e. sensitive personal data)
The types of personal data that we process as a controller are primarily the following:
- Name
- Address
- E-mail address
- Phone number
- Personal identity number
- User name
- Photos/pictures/sound recordings
- Account number and other bank-related information
- Education participation
- CVs
- Information that you publish yourself or otherwise provide to us voluntarily including details regarding your health (i.e. sensitive personal data)
Special category data (sensitive personal data)
The processing of personal data that is deemed sensitive – for example information regarding politics, religion, genetics or health– is made restrictively and with due observance of confidentiality.
How do we access your personal information?
We will primarily get access to your personal information from our clients in cases where we are a processor and otherwise by you providing the personal data to us.
We can also get access through the following ways:
- Information which you provide us with directly
- Information that is registered when you visit our website
- Information we receive from public registers
- Information that we receive when you answer surveys and other polls and investigations
- Information we receive when you sign up for our events or seminars
- Information that we receive when you sign up for newsletters and other mailings
- Information that we receive when you contact us, seek employment with us, visit us or in other ways seek contact with us
In what ways and for what reasons do we process your personal data?
In most cases, we process personal data on behalf of our clients in the capacity of processor. The controller is then responsible for determining which legal ground is applicable as well as what personal data to collect, for which purposes and how to process them.
In cases where the Company itself is the controller, we mainly process personal data with the support of law, so called legal obligation, for example in order to comply with requirements under the Accounting Act, or with the support of an agreement with an individual (such as an employment contract).
In some cases, we may also process your personal data based on legitimate interests. This will primarily be relevant when we need to process personal data for advertising or marketing purposes.
Regarding such processing of personal data which is not directly necessary to comply with applicable laws and which does not have another legal ground as described above, we will collect your consent in connection with the retrieval of such personal data, for example health information or other sensitive personal data when inviting to events and seminars. You may withdraw your consent at any time for such processing as described above. We will then no longer process your personal data or obtain any new data, if it is not necessary to fulfill our obligations under a contract or law.
Is your personal data processed in a safe way?
We have routines and procedures for managing your personal data in a safe way. Only persons who need personal data to perform their duties and the Company’s commitments shall have access to personal data.
Our security systems are developed with your integrity in focus and to protect, to a great extent, against intrusion, destruction and other incidents that could endanger your privacy. We have agreements with our IT providers regarding IT security to ensure that your personal data is processed safely.
When do we share your personal data?
We may not disclose your personal data to anyone other than the client who is the controller for your personal information unless you have given your consent or where it is necessary to comply with our statutory obligations or is governed by our agreement with the controller
In some cases, personal data is transferred to our subcontractors for marketing-, information- and follow-up purposes and for storage. See more about processors/sub-processors in section 5 below.
We do not transfer personal data to third parties in cases other than those expressly stated in this policy.
We only transfer personal data outside the EU/EEA, if we have a legal ground for the transfer in accordance with applicable laws and regulations for data protection. This means, for example, that we can transfer personal data to Privacy Shield-certified data processors in the United States. For non-Privacy Shield-certified recipients, we may transfer your personal data outside the EU/EEA, using standard data protection measures adopted by the EU Commission. We may also transfer your personal data to a country that the EU Commission has assessed to have an adequate level of protection for the processing of personal data.
Retaining and deleting personal data
We retain your personal information according to the instructions we receive from the controller. We will never process (save) your personal data after our agreement with the controller is terminated, if not requested by law or specific requirement in the agreement with the controller.
Where we are the controller, your personal data will not be retained for longer than what is necessary in order to fulfill the purpose of the processing and we will delete personal data in accordance with applicable law.
4. YOUR RIGHTS
When we are processor
The rights for individuals as set out below apply in relation to the relevant controller. In cases where we process personal data on behalf of others and as processor, please contact the respective controller for the exercise of your rights below. If you have any questions regarding this, you can contact us via the contact details in section 6 below.
When we are controller
Withdraw consent
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time by contacting us via the contact information set forth in section 6 below. Withdrawal will not affect the lawfulness of processing before the withdrawal.
Request for rectification or erasure
You are entitled to request that personal data about you is rectified or erased. You also have the right to restrict the processing of your personal data or object to such processing in accordance with the General Data Protection Regulation or national privacy laws. Following such a request, we will examine whether there is reason to implement the requested change.
Request for a registry extract
You are entitled to request extracts from the Company and our registries/systems in which personal data about you is processed and, in such extracts, be informed of what personal data about you that the Company is processing and how we process this data.
If you have questions regarding the processing of your personal data or if you find that any data is incorrect, want to request rectification, erasure, restriction or objection to the processing please contact us in accordance with section 6 below.
The Swedish Data Protection Authority
The Swedish Data Protection Authority (DPA) is the supervisory public authority for processing of personal data and data protection in Sweden. You are entitled to lodge complaints regarding the processing of personal data to the DPA. Contact information for the DPA can be found on https://www.imy.se/kontakta-oss/
5. CONTROLLER OF PERSONAL DATA AND OUR PROCESSORS
The controller is ultimately responsible for how your personal data is processed and that your rights are protected. The Company is in most cases a processor of personal data.
The Company always ensures through personal processing agreements or otherwise that our processors/sub-processors only process personal data in accordance with this policy.
If you, as a registered person, want to know which personal data processors (sub-processors) we use, you can contact you in accordance with section 6 below and we will provide you with a list.
6. CONTACT DETAILS
Controller of personal data: Scandinavian CRO AB, 556587-3147
Address: Box 150 27, SE-75015 Uppsala, SWEDEN
Phone number: +46 18 100 550
E-mail address: dataprotection@scro.se