Data Privacy Network
Effective Date: Feb 17, 2025
Data Privacy Framework provides companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union, United Kingdom, and Switzerland to the United States in support of transatlantic commerce.
Overview
Total Trials complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Total Trials has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Total Trials has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
The Federal Trade Commission has jurisdiction over Total Trials’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
Scope
This Policy applies to all Personal Data of Data Subjects received by Total Trials in the United States from the European Union/European Economic Area, the United Kingdom (and Gibraltar), or Switzerland, including Personal Data of consumers, healthcare professionals, patients, medical research subjects, clinical investigators, customers, suppliers, vendors, job applicants, business contacts and partners, investors, and government officials.
Adherence to the Data Privacy Framework Principles may be limited (i) to the extent required or allowed by applicable law, rule, or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Data Subject. Also, this Policy may not apply or may be limited when Personal Data is collected or processed by the following:
- Total Trials, under an agreement that contains the requisite Model Contract Clauses approved by the European Commission with respect to the Personal Data;
- Total Trials, when necessary for the performance of a contract (e.g., an employment contract) between a Data Subject and Total Trials; or
- Any Total Trials affiliate, successor, subsidiary, business division or group that makes a separate certification to Data Privacy Framework, whether or not such certification covers only part of or all types of Personal Data in scope of this Policy.
Definition
Agent – Any third party that uses Personal Data provided to it by Total Trials to perform tasks on behalf of and/or under the instructions of Total Trials or to which Total Trials discloses Personal Data for use on its behalf.
Controller – A person or organization that decides what personal data will be collected and how it will be collected, stored, and used, and then collects and processes data, either directly or through a processor, for its own purposes.
Data Subject – Any natural person located in the European Union/European Economic Area, United Kingdom (and Gibraltar), or Switzerland whose Personal Data is shared with Total Trials in the United States. Sometimes referred to as “you” or “your.”
European Economic Area (EEA) – For the purposes of this Policy composed of the following thirty (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Personal Data – Any information that relates to an identified or identifiable natural (living) person (a “data subject”), such as names, email addresses, identification numbers, online identifiers (e.g., IP addresses), employee or applicant information, location data, biometric data, photographs, and health or financial information. The term “Personal Data” does not include non‐identified information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person) and publicly available information that has not been combined with non‐public personal information.
Data Privacy Framework Principles – The seven (7) privacy principles, as well as the supplemental privacy principles and the associated guidance, details can be found at https://www.dataprivacyframework.gov.
Processing – Collection, storage, use, sharing, or destruction of personal data, whether manually or by electronic or automated means.
Processor – A person or organization that processes personal data on behalf of a controller.
Sensitive Personal Data – Health, genetic, and biometric information; information relating to children; and data that reveals the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation.
Policy
Total Trials notifies Data Subjects covered by this Data Privacy Framework Policy about its data practices regarding Personal Data received by Total Trials in the U.S. from European Union/ EEA member countries, United Kingdom (and Gibraltar), and Switzerland in reliance on the respective Data Privacy Framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Total Trials offers for limiting its use and disclosure of such Personal Data, how Total Trials’s obligations under the Data Privacy Framework are enforced, and how Data Subjects can contact Total Trials with any inquiries or complaints. Total Trials will provide information about its participation in Data Privacy Framework and reference to the Data Privacy Framework List (https://www.dataprivacyframework.gov/s/participant-search). Notice will be provided in clear and conspicuous language.
Where Total Trials receives Personal Data from its subsidiaries, affiliates, or other entities, including when acting as a Contract Research Organization (CRO) processing Personal Data under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the choices made by the Data Subjects to whom such Personal Data relates.
In circumstances in which Total Trials obtains Personal Data as a service provider for its clients or affiliates, Total Trials’s clients or affiliates are responsible for providing appropriate notice to the Data Subjects whose Personal Data are transferred to the U.S. and obtaining any requisite consent (unless this function has been delegated to Total Trials).
Types of Personal Data collected, Purposes of Collection and Uses of Personal Data
Total Trials may also use the Personal Data collected below to comply with its legal and regulatory obligations, policies and procedures, and for internal administrative purposes
A. Research Studies-Related Information. For Data Subjects participating in research studies being managed by Total Trials as a CRO or in other situations where Total Trials is participating in research studies, including patients, their spouses/partners, care givers, and relatives, clinical investigators or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third‐party service providers, Personal Data may be used in order to carry out the applicable studies and other study‐related services and/or pharmacovigilance. This may include the transfer of such Personal Data to the applicable study sponsor, its corporate affiliates, business partners and third‐party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
B. Human Resources-Related Information. For Data Subjects who are Total Trials employees, consultants and contractors (Personnel), we will process Personal Data to carry out and support our human resources functions and activities, including but not limited to, (i) evaluation of qualifications for an employment position; (ii) provision of employment benefits; (iii) administration and management of employees, compensation, stock options, grants and purchase plans, bonuses, retirement, training, and career planning; (iv) utilizing employee skills and ongoing employee resource allocation; (v) communicating with employees or their emergency contacts; (vi) administration of the company’s business including budgeting, manpower planning, and organizational design; (vii) authentication of the individual’s identity when gaining access to computer system applications; (viii) Personal Data changes; (ix) employment status changes; (x) travel and expense planning and reimbursement; and (xi) evaluation of employee performance and time management; and (xi) management of Personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. Total Trials may provide Personal Data to Agents to support Total Trials in performance of these human resources‐related activities. Further information concerning how Total Trials collects, uses, shares, and safeguards the Personal Data of Company Personnel is available to Total Trials Company Personnel in Total Trials’s internal privacy policy. In addition, for job applicants, Personal Data will be used for the evaluation of suitability of the applicant for a position. Total Trials may, under its discretion and with the consent of the candidate where required by law or otherwise obtained, perform such background checks as deemed appropriate to evaluate this suitability.
C. Business Contacts. For Data Subjects who are business contacts of Total Trials, Total Trials may collect Personal Data concerning contact information for such business contacts. This information may be used for purposes consistent with the provision of information by these contacts, which may include marketing activities focused on sales of new products and services, requests to participate in market research that enhance Total Trials’s product offerings and other business activities.
D. Health Care Professionals. Total Trials collects information about health care professionals directly from the health care professionals, from public sources and from business partners. We use this information in connection with various health care activities, including clinical trials, real world studies of patient treatment, health care outcomes analysis, market research activities, and other situations where primary intelligence from health care professionals is applicable.
E. Customers and Program Participant Information. For Data Subjects sharing Personal Data with Total Trials to inquire about or otherwise make use of our services or purchase, receive, or seek information, including about any health care products and services, opportunities to participate in clinical research, health care education and patient support programs which may be available through Total Trials, we will use such Personal Data to provide the requested information, products, and/or services. Such uses may include but is not limited to processing requested transactions, improving the quality of our services, sending communications about the products and services available through Total Trials, and enabling our business partners and Agents to perform certain activities on our behalf.
F. Data Analytics Functions. In certain situations, Total Trials obtains and processes information about Data Subjects for various data analytics purposes. In most situations, this data has been anonymized or de‐identified and is no longer Personal Data when it is obtained by Total Trials (or when it is transferred to the United States). In some situations, Total Trials receives Personal Data from a customer or other data supplier for the purpose of such anonymization or de‐identification. In other situations, the data that is obtained and processed by Total Trials is pseudonymous. This pseudonymous information may be used for research purposes, primarily in connection with academic partners, with academia, and may be transferred by Total Trials to the United States as part of these research-related activities. For all these situations, Total Trials’s activities are consistent with the notice and choice provided by these customers or data suppliers to Data Subjects, and Total Trials’s use of this information is consistent with Total Trials’s obligation to provide services to these entities. In those situations, and where such information is transferred to the United States, Total Trials uses such information only in manners consistent with the Data Privacy Framework Principles and the manner in which this data was obtained.
Choice
If Personal Data covered by this Data Privacy Framework Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, Total Trials will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: [email protected].
If Sensitive Personal Data covered by this Data Privacy Framework Policy is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party, Total Trials will obtain the Data Subject’s explicit consent prior to such use or disclosure.
In some cases, even if a Data Subject opts‐out of disclosures of their Personal Data, Total Trials may still disclose such Personal Data (i) if required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce Total Trials policies or contracts; (v) to collect amounts owed to Total Trials; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in good faith believe that disclosure is otherwise necessary or advisable. Total Trials also may transfer Personal Data when a material event concerning its business operation(s), assets, or shares, such as purchase, disposal, merger, joint venture, or acquisition, is proposed or occurs. In such an event, Total Trials will endeavor to direct the transferee to use Personal Data in a manner that is consistent with this Policy. Total Trials will provide Data Subjects with reasonable mechanisms to exercise their choices to the extent required by applicable law.
Accountability for Onward Transfer
In the event Total Trials transfers Personal Data covered by this Data Privacy Framework Policy to a third party acting as a controller, it will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Data Privacy Framework Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Total Trials has knowledge that a third party acting as a controller is processing Personal Data covered by this Data Privacy Framework Policy in a way that is contrary to the Data Privacy Framework Principles, Total Trials will take reasonable steps to prevent or stop such processing.
With respect to our agents, we will transfer only the Personal Data covered by this Data Privacy Framework Policy needed for an agent to deliver to Total Trials the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Total Trials’s obligations under the Data Privacy Framework Principles; and (iv) require the agent to notify Total Trials if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
Security
Total Trials takes reasonable and appropriate measures to protect Personal Data covered by this Data Framework Privacy Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
Data Integrity and Purpose Limitation
Total Trials limits the collection of Personal Data covered by this Data Privacy Framework Policy to information that is relevant for the purposes of processing. Total Trials does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.
Total Trials takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Total Trials takes reasonable and appropriate measures to comply with the requirement under the Data Privacy Framework to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes Total Trials’s obligations to comply with professional standards, Total Trials’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Data Privacy Framework Principles for as long as it retains such Personal Data.
Access
Data Subjects whose Personal Data is covered by this Data Privacy Framework Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: [email protected].
Total Trials, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such Data Subjects who seek access, or who seek to correct, amend, or delete their inaccurate Personal Data should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Data to Total Trials for processing.
In circumstances in which Total Trials maintains Personal Data as a service provider for its clients or affiliates, Total Trials’s clients or affiliates are responsible for providing Data Subjects with access to their Personal Data and the right to correct, amend or delete the data where it is inaccurate. In these circumstances, Data Subjects should direct their questions to the appropriate Total Trials client or affiliate. If they do not receive a response, Total Trials will provide reasonable assistance in forwarding the Data Subject’s request.
Recourse, Enforcement and Liability
Total Trials’s participation in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF is subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Total Trials commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Total Trials at: [email protected].
In addition, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Total Trials commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to Data Subjects. If any request remains unresolved, Data Subjects may, under certain circumstances, have a right to invoke binding arbitration under Data Privacy Framework; for additional information, see https://www.dataprivacyframework.gov.
In addition, Total Trials has agreed to cooperate with Judicial Arbitration and Mediation Services, Inc. (JAMS) with respect to complaints of Data Subjects who are not Personnel of the Company and with the local data protection authorities with respect to Personnel and human resources related information. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/DPF-Dispute-Resolution. Such independent dispute resolution mechanisms are available to Data Subjects free of charge. If any request remains unresolved, Data Subjects may have a right to invoke binding arbitration under Data Privacy Framework.
In circumstances in which Total Trials obtained or maintains Personal Data as a CRO or other Service Provider, Data Subjects may submit complaints concerning the processing of their Personal Data to the relevant client, in accordance with the client’s dispute resolution process. Total Trials will participate in this process at the request of the client or the Data Subject.
Total Trials agrees to periodically review and verify its compliance with the Data Privacy Framework Principles, and to remedy any issues arising out of failure to comply with the Data Privacy Framework Principles. Total Trials acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Data Privacy Framework participants.
This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Data is maintained. All amendments will be posted on the Total Trials website. Please check back periodically for updates to this Policy.