Privacy Shield Policy
Quintiles (NYSE: Q) helps biopharmaceutical companies and other healthcare companies improve their probability of success by connecting insights from our deep scientific, therapeutic and analytics expertise with superior delivery for better outcomes. From advisory through operations, Quintiles is the world’s largest provider of product development and integrated healthcare services, including commercial and observational solutions. Quintiles is a clinical research organization (“CRO”) and conducts operations in approximately 100 countries, and is a member of the FORTUNE 500 and has been named to FORTUNE’s list of the “World’s Most Admired Companies.”
Quintiles and our subsidiaries and affiliates (collectively referred to as “Quintiles”, “Company”, “we” or “our”) respect the relationships we have with our customers and respect the privacy of all individuals whose Personal Information (see Definitions) may be processed by Quintiles in the performance of our services and our business operations. To demonstrate our commitment to the protection of Personal Information, including Personal Information transferred out of the European Economic Area (“EEA”) and Switzerland for the performance of our services and business operations, we adhere to the Privacy Shield Principles and are certified to the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission. Further details of the Privacy Shield and the Privacy Shield Principles can be found on the website at https://www.privacyshield.gov. We also use model contractual clauses and other mechanisms approved by the European Union and Switzerland, respectively, for transfers of Personal Information from the EEA and Switzerland.
* * *
SCOPE: This Policy applies to all Personal Information of Individuals, either in electronic or paper format, received by Quintiles in the U.S. from the EEA or Switzerland, including Personal Information of Company Personnel, consumers, healthcare professionals, patients, medical research subjects, clinical investigators, customers, suppliers, vendors, business partners and investors.
LIMITATIONS ON SCOPE:
Adherence to the Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of an Individual. Also, this Policy may not apply or may be limited when Personal Information is collected or processed by the following:
- Quintiles, under an agreement that contains the requisite Model Contract Clauses approved by the European Commission with respect to the Personal Information;
- Quintiles, when necessary for the performance of a contract (e.g., an employment contract) between an Individual and Quintiles; or
- Any Quintiles’ affiliate, successor, subsidiary, business division or group that makes a separate certification to Privacy Shield, whether or not such certification covers only part of or all types of Personal Information in scope of this Policy.
DEFINITIONS: For purposes of this Policy, the following definitions shall apply:
- “Agent” means any third party that uses Personal Information provided to it by Quintiles to perform tasks on behalf of and/or under the instructions of Quintiles or to which Quintiles discloses Personal Information for use on its behalf.
- “European Economic Area” (EEA) means for the purposes of this Policy all countries within the European Union (EU) and Iceland, Liechtenstein, Norway.
- “Individual” means any natural person located in the EEA or Switzerland whose Personal Information is shared with Quintiles in the United States.
- “Personal Information” means any information or set of information about an identified or identifiable individual, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the individual; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to an individual that is combined with any of the above. The term “Personal Information” does not include non-identified information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
- “Personnel” includes, but is not limited to, any employee (permanent or temporary), director, officer, contractor, worker, temporary worker, job applicant, retiree of Quintiles and any and all of their respective dependents.
- “Privacy Shield Principles” collectively means the seven (7) privacy principles, as well as the supplemental privacy principles and the associated guidance details of which can be found at https://www.privacyshield.gov.
- “Quintiles” means Quintiles, Inc., its affiliates, successors, subsidiaries, business divisions and groups.
- “Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where processed to uniquely identify a person, any information that concerns medical or health conditions or sex life, or information relating to the commission of a criminal offense.
Where Quintiles collects Personal Information directly from Individuals, it will explain the purposes for which it collects and uses Personal Information about the Individuals, the types of third parties to which Quintiles discloses that information, and the choices and means, if any, Quintiles offers Individuals for limiting the use and disclosure of Personal Information about them. This explanation will be provided as soon as practicable and, in any event, before Quintiles discloses the Personal Information or uses such information for a purpose materially different than that for which it was originally collected or processed. Where Quintiles receives Personal Information from its subsidiaries, affiliates or other entities, including when acting as a CRO processing Personal Information under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the choices made by the Individuals to whom such Personal Information relates.
Types of Personal Information collected, Purposes of Collection and Uses of Personal Information:
- Research Studies-Related Information. For Individuals participating in research studies being managed by Quintiles as a CRO, including patients, their spouses/partners, care givers, and relatives, clinical investigators or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third-party service providers, Personal Information may be used in order to carry out the applicable studies and other study-related services and/or pharmacovigilance. This may include the transfer of such Personal Information to the applicable study sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
- Human Resources-Related Information. For Individuals who are Personnel, we will process Personal Information to carry out and support our human resources functions and activities, including but not limited to, employment opportunities, Personnel recruitment and onboarding, administration of Personnel participation in benefits, compensation and human resources plans and programs, management of Personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. Quintiles may provide Personal Information to Agents to support Quintiles in performance of these human resources-related activities.
- Customers and Program Participant Information. For Individuals sharing Personal Information with Quintiles in order to inquire about or otherwise make use of our services or purchase, receive or seek information, including about any health care products and services, opportunities to participate in clinical research, health care education and patient support programs which may be available through Quintiles, we will use such Personal Information in order to provide the requested information, products, and/or services. Such uses may include processing requested transactions, improving the quality of our services, sending communications about the products and services available through Quintiles, and enabling our business partners and Agents to perform certain activities on our behalf.
Quintiles may also use the Personal Information collected above to comply with our legal and regulatory obligations, policies and procedures, and for internal administrative purposes.
Quintiles will offer Individuals the opportunity to choose whether their Personal Information is (a) to be disclosed to a third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Individual.
Quintiles will not process Sensitive Personal Information about Individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual explicitly consents to the processing (“opt-in”), or as required or permitted, or where not prohibited by law or regulation.
In some cases, even if an Individual opts-out of disclosures of their Personal Information, Quintiles may still disclose such Personal Information (i) if required to do so by law, (ii) if disclosure is required to be made to law enforcement authorities, or (iii) if we believe disclosure is necessary or appropriate to prevent physical harm to an individual or financial loss or in connection with an investigation of suspected or actual illegal activity. Quintiles also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, Quintiles will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Policy. Quintiles will provide Individuals with reasonable mechanisms to exercise their choices to the extent required by applicable law.
ACCOUNTABILITY FOR ONWARD TRANSFER
Transfers to third parties are covered by the provisions in this Policy regarding notice and choice.
Quintiles may also share an Individual's Personal Information with Agents in connection with services that these individuals or entities perform for, or with, Quintiles. Quintiles may, for example, provide an Individual's Personal Information to Agents for hosting our databases, for data processing services, or to send to that Individual the information that he or she requested.
Quintiles may transfer Personal Information for specified, limited purposes, to an Agent and will endeavor to obtain assurances that such Agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Policy and will notify Quintiles if it makes a determination it can no longer meet this obligation.
Where Quintiles knows that any third party to whom it has provided Personal Information is using or disclosing Personal Information in a manner contrary to this Policy, Quintiles will take reasonable steps to prevent or stop the use or disclosure. With respect to such onward transfers to Agents, and to the extent Quintiles is responsible for the event, Quintiles shall remain liable should its Agents process Personal Information in a manner inconsistent with the Privacy Shield Principles and this Policy.
Quintiles will employ reasonable and appropriate technical, administrative and physical safeguards designed to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information Quintiles is processing.
DATA INTEGRITY AND PURPOSE LIMITATION
Quintiles endeavors to use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. Quintiles will take reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by Quintiles for as long as Quintiles retains possession of such information. Quintiles’ Personnel have a responsibility to assist Quintiles in maintaining accurate, complete and current Personal Information. When acting as a CRO, Quintiles endeavors only to process Personal Information that is relevant to the services it provides, and only for purposes compatible with those for which the Personal Information was collected; wherever possible, such Personal Information is non-identified. Where Quintiles processes Personal Information as a CRO under the direction of its customers, Quintiles works with such customers so that the customers can provide a way for Individuals to correct or update their Personal Information.
Quintiles will, on request, provide an Individual with confirmation regarding whether Quintiles is processing Personal Information about them. In addition, upon request of an Individual, Quintiles will take reasonable steps to correct, amend, or delete their Personal Information that is found to be inaccurate, incomplete or processed in a manner non-compliant with this Policy or the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to that Individual’s privacy, where the rights of persons other than the Individual would be violated or where doing so is otherwise consistent with Privacy Shield Principles. Unless prohibited by applicable law, Quintiles reserves the right to charge a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals. Quintiles, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such Individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Information to Quintiles for processing.
RECOURSE, ENFORCEMENT AND LIABILITY
Quintiles encourages Individuals covered by this Policy to raise questions about the processing of Personal Information about them by contacting Quintiles’ through the contact information provided below. Any Personnel that Quintiles determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, where applicable.
Any questions or concerns regarding the use or disclosure of Personal Information should also be directed to Quintiles’ through the contact information given below. Quintiles will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy.
In addition, Quintiles has agreed to cooperate with the American Arbitration Association (“AAA”) with respect to complaints of Individuals that are not Personnel of the Company and with the local data protection authorities with respect to Personnel and human resources related information. For more information and to submit a complaint to AAA, visit http://go.adr.org/privacyshield.html. Such independent dispute resolution mechanisms are available to Individuals free of charge. If any request remains unresolved, Individuals may have a right to invoke binding arbitration under Privacy Shield. The Federal Trade Commission has jurisdiction over Quintiles’ compliance with the Privacy Shield.
CONTACT INFORMATION: Questions, comments, concerns or complaints regarding this Policy or Quintiles’ processing of Personal Information should be submitted to Quintiles by clicking here.
RESERVATION OF RIGHTS: Quintiles reserves the right to share an Individual’s Personal Information and contracts with Agents as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.
* * *
Information about how Quintiles Japan protects privacy is available on Quintiles’ Japan Internet site in Japanese at http://www.quintiles.co.jp/privacy.html.
* * *
Version 10.0; 18 September 2016