Our approach to Privacy
If you are a resident of the State of California, this Policy also incorporates our Privacy Notice for California Residents, which includes additional information required to be provided under California law.
If your personal information is processed in South Africa, this policy also incorporates our Privacy Notice – South Africa, which includes additional information required to be provided under the South African law.
Synexus has enacted internal policies, procedures and training programs designed to support compliance with these laws and this Policy. Our policies, procedures and training programs are reviewed on a regular basis, and overseen by a team of privacy professionals with senior executive oversight.
What personal information does Synexus handle and for what purposes?
As a global site management organization, Synexus provides investigational sites for clinical trials conducted by our clients. As such, we collect, host and analyze significant quantities of health data and bio-medical samples relating to study subjects. In terms established by the Regulation, Synexus considers itself as co-Controller with sponsor/client in determining how and why clinical and medical data are processed in its capacity as a site management organization.
To enhance privacy, consistent with GCP, subjects’ names and other direct identifiers are not attached to records or samples utilized by Synexus’s clients for research purposes.
We also collect and maintain personal contact information, details regarding health and medical conditions, and areas of interest in medical research from individuals who have expressed to us an interest in taking part in clinical trials, so that we are able to match them with a suitable clinical trial as they may arise. We use this information to recruit individuals for clinical trials and to run general statistical analysis in support of patient recruitment.
On some occasions, Synexus provides health services to local communities in the form of health screening activities for certain pathologies/diseases. During this activity, we collect names, contact information, and medical information of participants. Once the test is performed, with the consent of the participant, we’ll add their information to our database so that they can be contacted by us for future testing or clinical trial opportunities, in line with their specific medical condition. Should they choose not to provide such consent, Synexus will only share results of the testing with the participant’s physician.
In the course of conducting our business, Synexus will interact with employees, consultants, contractors and other third parties employed or engaged by our clients involved in clinical and medical research. Synexus will record and use the names, contact details and other professional information on these individuals for legitimate business-related purposes, including project and financial administration. We may use the information we obtain, including email addresses, to provide relevant information on Synexus’s services to our clients.
Synexus collects personal information from applicants seeking employment with the company, including private contact details, professional qualifications and previous employment history to inform employment decisions. Synexus conducts various background checks on applicants, including where law allows on criminal history and professional disbarment. Once employed, Synexus collects information on staff for human resource, performance, payroll and tax purposes. Synexus will collect and record employee level information in various company systems, consistent with standard business operations. Synexus processes similar information relating to consultants, contractors and other third parties engaged by the company to provide products or services to it.
Synexus collects named information about visitors to company websites where this is voluntarily provided to meet a request from those individuals, for example where a client contact requests information on a company service, a health professional is interested in participating in a clinical trial or where someone wants to apply for a vacant position with the company. Through the use of cookie-based technologies, Synexus may collect various data linked to virtual identities allocated to visitors when they access our websites. This data is used for various purposes, including site analytics and first party marketing (see Online Issues below). In certain cases, these virtual identities are linked to the real world identities of visitors when they provide their named information as described above. This allows Synexus to tailor marketing messages to those individuals, inclusive of information that is likely to be of interest to them.
Synexus appoints vendor contact centers for the purpose of reaching out to individuals who have expressed an interest in taking part to clinical trials. Personal data on those contacted are only collected to process their request and determine whether or not they are eligible to make an appointment for a screening visit at Synexus’ facilities. Our contact centers do not reach out to individuals who have not previously provided their contact information to Synexus. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their call is recorded.
Personal information will be shared within Synexus and its affiliated companies and with third parties, including our agents and service providers, on a “need to know” basis to meet stated legitimate business purposes. Access to databases and folders containing personal information is restricted to appropriate staff. Synexus does not trade or sell personal information.
Under some circumstances, Synexus may be required by law enforcement or judicial authorities to disclose certain personal information as part of investigations or for litigation purposes. Synexus may disclose personal information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of Synexus or some or all of its assets.
Companies working as vendors of Synexus are required to sign “processor” and/or confidentiality agreements whereby they will commit to only process personal information consistent with contracted purposes and apply appropriate organizational and technical security safeguards.
Synexus is a global company serving an industry that is increasingly globalized in its approach to clinical research. Personal information will be shared across international borders as required to service global projects. Synexus hosts personal information in databases in different locations throughout the world, including in the United States. In certain circumstances, Synexus and client personal information will be hosted within vendor platforms located in the Internet cloud. Synexus recognizes that many countries globally have regulations restricting the flow of personal information across international borders. Synexus has put in place measures to ensure that adequate protection is provided to such data where legally mandated. For example, Synexus has executed Standard Data Protection Clauses (“SDPC”) for the purpose of transferring certain personal information from the European Economic Area or from the United Kingdom. EU or UK residents whose personal information is handled under these SDPC may request a copy of the agreement from Synexus through the contact details listed below. Where privacy risks are very low, for example with respect to the sharing of key coded data, Synexus may rely on informed consent from individuals for the transfer of their information to legal regimes with less strong data privacy safeguards.
At the point of data collection, Synexus will provide notice to individuals in a clear and conspicuous language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law or under this Policy; and who to contact with any questions or complaints. These privacy notices are tailored to specific situations of data collection. In providing such notice, Synexus meets its obligations to be transparent and fair with individuals as is required by many data privacy laws. Dependent on the medium, notice may be given in person, by email, post, telephone, or by posting on our website.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, Synexus will seek consent of individuals to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort, where intended processing of the data is in Synexus’s or our clients’ legitimate interests and the privacy risks are low, Synexus will proceed to process personal information absent of consent. Also, Synexus will use and disclose personal information without consent where required by law and judicial order. Consistent with GCP, laws on confidentiality and data privacy regulations, Synexus will collect necessary informed consents of study subjects on behalf of its clients.
Data quality and accuracy are fundamentally important principles to Synexus. Crucial to the integrity of clinical research is the accuracy of data relating to study subjects, particularly where attached to bio-medical samples. Consistent with regulatory requirements, Synexus employs a professional quality assurance department. In general, our privacy notices provide individuals easy means of validating, correcting errors and updating information. Synexus retains personal information in accordance with contractual, legal and regulatory requirements.
In jurisdictions with data privacy laws, and where contractual commitments require, Synexus ensures that individuals can exercise all relevant informational rights with respect to their personal information processed by the company, including but not limited to the right of access and correction, to withdraw consent at any time, object to data processing, request data deletion, restrict aspects of data processing, prevent direct marketing and request transmission of personal data in a common digital format (e.g. pdf) to the themselves or another organization.
In all other respects, where no overriding interest prevails, Synexus will endeavor to allow the following informational rights under this Policy as a matter of good practice:
- to allow access to copies of personal information within a reasonable timeframe;
- to correct personal information where inaccurate; and
- to withdraw a previously provided consent to processing of personal information.
Subjects enrolled in clinical studies run by Synexus’s clients must contact the investigator at their Synexus site, who will be able to make the necessary link to subject identity.
The company maintains a comprehensive information security policy that seeks to apply technical and organizational security measures that protect personal information, particularly sensitive clinical data, against unauthorized access or loss. Consistent with regulatory requirements, particularly under U.S. state law and the Regulation, Synexus also maintains a detailed Security Breach Policy, which establishes a procedural response to dealing with any breach of personal information, including making any necessary notifications to individuals or governmental authorities.
Synexus does not collect information through our websites from individuals who are known to be under the age of 13, and no part of our online presence is directed to anyone less than 13 years.
Communications, queries, requests to exercise informational rights (e.g., access to data) or complaints can be addressed to the attention of the Data Protection Officer, Privacy Department, Granta Park Cambridge, CB21 6GQ, United Kingdom or via email at [email protected].
Under the Regulation, Synexus Polska Sp. z o.o. as Synexus’s leading EU affiliate (“controller”) for data protection purposes, shall be primarily responsible for data protection matters affecting our EU group of companies. For purposes of compliance with the Regulation, the Data Protection Officer may be contacted through the co-ordinates above.
Within the EU, individuals have the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Residents of the United Kingdom have the right to complain about how their information is handled to the Information Commissioner’s Office (https://ico.org.uk/).
This Policy is not a contract, and it does not create any legal rights or obligations. Synexus reserves the right to modify or amend this Policy. For instance, the Policy may need to change as new legislation is introduced or as it is amended. The updated Policy will be posted on https://www.synexus.com/. Last Updated: June 25, 2021