This Privacy Notice for Healthcare Professionals describes how KCR CRO (“KCR, “us” or “we”), collects, uses and discloses personal information relating to you as a healthcare professional, how we protect your personal data, and your rights in relation to data protection when we interact or cooperate with you.
We process your personal data in accordance with the European General Data Protection Regulation no. 679/2016 ("GDPR") and any other applicable local laws and regulations.
How to contact us:
If you have any questions about this Privacy Notice for Healthcare Professionals or would like to contact us about any other matter related to the processing of your personal information, please use the following contact information:
| Data Controller |
KCR S.A. 6 Postępu Street 02-676 Warsaw, Poland |
| Data Protection Officer | E-mail: gdpr@kcrcro.com |
What types of information we collect about you
“Personal data” is a single piece of information or a set of information about you as a natural person, such as name(s) and surname, national identification numbers, contact details and other data that pertains to you directly or indirectly and which, by itself or in combination with other information, allow you to be identified.
We collect personal data that you have voluntarily shared with us when you enter into a contract with us, submit an application or inquiry to us and or that we collected through other sources (e.g. our vendors, business partners, webpages of the study centres, public and commercial databases or registries and referrals). We may use such third-party data to confirm your contact details or verify your qualifications as a healthcare professional.
Categories of personal data that we collect about you includes:
A. Personal identifiers and contact details:
— Your contact details: first name, last name,
— Your national identifiers,
— Your address of residence or mailing address, if it is different from the address of residence,
— Your mobile phone, landline number, fax number, e-mail address,
— Preferred method and days/time for contact.
B. Professional details:
— Your specialization and/or primary specialty/discipline,
— Your title and license number confirming the right to practice the medical profession,
— Your professional experience and other information included in your CV, such as your current and
past positions, education, academic title, medical specialties or completed training, positions and
functions, name and address of current place of employment, professional experience in the field of
clinical trials or other scientific research projects, including therapeutic areas and your role in
the research project, participation in GCP inspections/audits, publications, membership in medical
associations,
— Your professional interests (scientific / medical and / or occupational fields of interest.
C. Your personnel/primary contact person for follow up questions (“Other site contact person”):
— First and last name of other site contact person,
— Role of other site contact person, their preferred title,
— Other site contact data (mobile phone, landline number, fax number, e-mail address) their preferred
method and days/time for contact),
D. Study site characteristics and capabilities:
— Name, type and address of the associated healthcare facility / study site where the clinical trial
would be or is conducted,
— Areas of specialization of the study site,
— General information about the patient population, such as approximate number of patients that can be
enrolled at the study site (your patient pool),
— Available equipment / facilities.
E. Other data provided by you on documents collected before or during the scientific research project, including further information necessarily in a scientific research project or our contractual relationship, such as:
— Your bank account number,
— Your tax identification number or foreign identification number (FIN)
— Your number and series of identification document (personal ID)
— Country of issuance of FIN/personal ID,
— Your citizenship,
— Your date and place of birth and your parents’ names,
— Your place of residence, e-mail address and/or telephone number.
We do not collect special categories of personal data relating to you like health or judicial data.
Providing the data is voluntary, but necessary to enable us to fulfill the purpose(s) described above. If you do not provide us with your personal data, it may make it difficult or impossible to fulfill these purpose(s). If you do not provide data necessary for performance of the contract or fulfillment of legal obligations, you may not qualify for a scientific research project / collaboration with us.
What we do with your personal data
Your personal data will be processed only for the purposes as described in this Privacy Notice for Healthcare Professionals:
| Purpose | Lawful basis for processing |
|---|---|
| To fulfil a query, to respond to your inquiries and fulfil your requests for services and/or to administer our services. | Article 6 paragraph 1 point f of the GDPR (the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms) - our legitimate interest here is to identify the sender of the query and handle the query, including queries transmitted through electronic means. |
| To share your data with our business partners / customers for their own purposes related to scientific research project, including a clinical trial or other scientific research project, in which you are interested in | Article 6 paragraph 1 point a of the GDPR – upon your prior consent |
|
To perform feasibility/e-feasibility* and/or consulting services for the research
project *Activities related to identification and selection of study sites participating in a scientific research project including a clinical trial or other scientific research project |
Article 6 paragraph 1 point b (where the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request) and Article 6 paragraph 1 point c of the GDPR (where the processing is necessary to comply with our legal or regulatory obligations) |
| To execute or perform a contract concluded by our company or to settle payments based on that contract (billing and invoicing) | Article 6 paragraph 1 point b (where the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request) and Article 6 paragraph 1 point c of the GDPR (where the processing is necessary to comply with our legal or regulatory obligations, resulting mainly from tax regulations and in the field of social insurance) |
| To facilitate your attendance at one of our events / meetings. | Article 6 paragraph 1 point b of the GDPR (where the processing is necessary for the performance of a contract to which you are a party or in order to take steps prior to entering into a contract) |
| To maintain records of prospective, current and past partners and be able to communicate with you about scientific research opportunities, scientific and market research surveys, as well as for the effective continuation of our business cooperation in the future. | Article 6 paragraph 1 point f of the GDPR - our legitimate interest in undertaking marketing activities to offer you opportunities that may be of your interest. |
| To provide you with our online newsletter and/or commercial information through electronic means (e.g. your e-mail or mobile) | Article 6 paragraph 1 point a of the GDPR (your consent). |
| To prevent fraud and or to establish, exercise or defense of legal claims (application and conducting of court, arbitration or mediation proceedings, handling complaints, requests in connection with our cooperation with you as a healthcare professional) | Article 6 paragraph 1 point f of the GDPR - legitimate interests pursued by KCR as the data controller |
Your data recipients
Your personal data will be processed by our authorized personnel or our agents on “a need to know” basis, depending on the specific purposes for which your personal data have been collected.
We have established and keep a CRM/sales force database in which personal data of healthcare professionals and their medical practices are stored. The access to this database is only limited to our employees that require it for the processing purposes outlined herein.
We may also share your data with:
A. Our service providers:
If this is compliant with applicable law, we may transfer your personal data to other entities,
including our suppliers, vendors and subcontractors (service providers):
— rendering accounting and tax services,
— training services providers, hotels and business trip providers,
— servicing and managing our IT systems,
— providing e-clinical health solutions,
— cloud service or database providers,
— providing auditing, consulting and/or legal advisory services,
— providing courier or postal services.
Service providers are only allowed to access and use your personal data on our behalf for the specific tasks that they have been requested to carry out, based on our instructions, and are required to keep your personal data confidential and secure. We do not authorize our service providers to use or disclose the information except as necessary to perform services on our behalf or to comply with legal requirements.
B. Our affiliated companies:
In case of data transfer to the companies from our capital group, we may have a legitimate interest in transmitting personal data for internal administrative purposes and internal reporting.
C. Public authorities, regulatory authorities and courts as required or permitted by applicable laws.
When complying with the statutory provisions and regulations and enforcing our own rights before the courts, we share your data with public authorities, government regulators or other entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes required by the applicable regulations, also regarding the evaluation and supervision of the scientific research project.
D. Our business partners
Upon your consent, we may also share your personal data with our business partners (pharmaceutical companies that develop and test new drugs and medical devices) for their own purposes, in particular to assess your eligibility to participate in their scientific research projects. This may involve transferring your personal data outside the European Economic Area (EEA), to the United States and/or other countries that may not have data protection laws equivalent to those in the EEA. Their identity will be disclosed at the time you have been identified as a potential study team member for their project.
You should be aware that we no longer control your data nor any further processing or use by the recipient after transfer or disclosure of your data to a third party other than a service provider/agent acting under our control.
Except in situations where you have given your consent, we do not share your personal data with any third parties.
International data transfers
Your data may be transferred to, stored and processed in a country located outside European Economic Area (EEA), including to countries which data protection and privacy laws may not be equivalent to, or as protective as, those which apply in the EEA.
In any case, we always make sure that appropriate and suitable safeguards compliant with the GDPR are put in place. We implement appropriate safeguards, such as approved standard contractual clauses added to the agreements with our business partners to protect your personal data in accordance with applicable legal requirements and/or will rely on your explicit consent. A copy of such an agreement could then be obtained on request from our Data Protection Officer. You can use the contact information below to request more information on the appropriate safeguards in place.
Your rights and obligations
You have the right to request access to and rectification or erasure of your personal data, as well as restriction of processing, data portability, the right not to be subject to a decision based solely on automated processing, including profiling, and the right to object to your personal data processing.
If you think any information, we have about you is incorrect or incomplete, please contact us as soon as possible. We will correct or update any information as soon as we can.
You have the right to object the personal data processing where the processing is carried out based on legitimate interests and/or for statistical purposes and your objection is justified by your particular situation.
You have the right to withdraw your consent to personal data processing at any time to the extent to which your consent applies. Withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal.
If you are unhappy with the way in which we have handled your personal data, you have the right to file a complaint with the supervisory body dealing with the protection of personal data in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes provisions of the GDPR.
You can exercise those rights by sending a request to our Data Protection Officer at gdpr@kcrcro.com.
We encourage you to contact us first, as we aim to promptly, efficiently and satisfactorily resolve any concerns or complaints you may have in relation to the processing of your personal data.
To fulfill your request, we will require you to provide satisfactory proof of your identity to ensure that your rights are respected and protected. This is to ensure that your personal data is disclosed only to you.
How long we store your personal data for
All personal data as specified above will be retained for as long as necessary to fulfill the purpose(s) for which it was collected or to comply with legal or regulatory requirements and in any case for the maximum data retention period set forth by the applicable law provisions.
When this legal basis expires, we process the personal data to pursue a legitimate interest of the data controller for the duration of any applicable limitation period (period during which a person could bring a legal claim against our company). During this time, we will limit our processing of your personal data to the scope necessary in connection with any claim or any obligation under applicable law.
We will not process your personal data if we do not have a proper justification foreseen in law for that purpose. If we have no legal basis for further processing under GDPR, we will either delete, remove or anonymize personal data relating to you.
Updates
This Privacy Notice for Healthcare Professionals may be amended or updated from time to time, so please check it regularly for updates. If we make any significant changes to its content, we will communicate this to you where possible through available means so that you can exercise your rights (e.g. to object to the processing).
Please contact us on the details above if you have any questions about this Privacy Notice for Healthcare Professionals or processing of your personal data at: gdpr@kcrcro.com.