Canfield Scientific, Inc. (Canfield) is committed to protecting the privacy of individuals whom we conduct business with all over the globe. In order to conduct business globally in an increasingly electronic economy, it is often necessary to collect Personal Information (PI) about our partners and customers.
Health Insurance and Portability and Accountability Act (HIPAA) – enacted on 21-Aug-1996; federally mandated requirements for the creation, transmission, receipt, collection, storage, use, and disclosure of individually identifiable health information. HIPAA is applicable to anyone encountering patient information [including Contract Research Organizations (CROs)] and applies to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) in order to reduce health care fraud and abuse.
Health Information Technology for Economic and Clinical Health Act (HITECH) – enacted on 18-Feb-2009; regulation which expanded HIPAA regulation to cover ePHI and specify requirements for notifying patients in the event of unauthorized disclosure or breach of security.
General Data Protection Regulation (GDPR) – enacted on 25-May-2018; regulation replacing Directive 95/46/EC which imposes obligations on organizations responsible for the handling and/or collection of data related to individuals within the European Union (EU). See Definitions section below for applicable terminology.
United Kingdom (UK) Privacy Act – enacted on 25-May-2018; extension of the General Data Protection Regulation (GDPR) which controls the use of data of individuals located within the United Kingdom (UK) and enforces strict data protection principles; applicable to organizations, businesses, and government.
California Consumer Privacy Act (CCPA) –enacted on 01-Jan-2020; the California Privacy Rights Act will fully replace the CCPA in 2023; serves to expand existing privacy laws to grant consumers greater control over their personal data through the provisioning of consumer rights; includes the Right to Know, Right to Delete, Right to Opt-Out of Sale, and Right to Non-Discrimination.
- Data Controller – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; the role of Sponsors working with Canfield.
- Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller; Canfield primarily serves as a Data Processor.
- Data Processing – any operation(s) performed on personal data (or personal data sets), whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Protection Officer (DPO) – individual responsible for matters relating to privacy and data protection within an organization.
- EEA – European Economic Area
- FTC – Federal Trade Commission
- Personal Data / Personal Information (PI) – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Protected Health Information (PHI) – any individually identifiable health information which can include the following:
- Individual’s past, present, and future physical and mental health conditions
- Provision of health care to individual
- Past, present, or future payment for provision of health care to individual
COLLECTION OF YOUR PERSONAL INFORMATION (PI)
When providing services to customers, Canfield may request Personal Information (PI). Personal Data that may be requested includes the customer’s name, email address, company name, and/or telephone number. The customer’s provision of this information is strictly voluntary as Canfield uses this information to customize the user’s experience on our website, to provide alerts for products and services that can assist our client’s business, promote site registration, and facilitate order processing. Additional PI may be collected if the services provided by Canfield require collection and use of such information.
Please Note: If the information collected contains the customer’s Protected Health Information (PHI), Canfield will handle this information in compliance with HIPAA and HITECH Regulations (including those that protect the rights of minors) as they pertain to the services being provided.
Any information collected from participants in clinical trials that Canfield is involved in will be collected according to the participant’s written consent and under instructions from the trial sponsor. Any questions about the data collected by Canfield as part of a clinical trial may be directed to the trial sponsor.
USE OF YOUR PERSONAL INFORMATION (PI)
Canfield’s website may be visited without divulging any Personal Information (PI). However, there are areas of the site that require Personal Information (PI) to complete their customization functions; functions that may not be available to those choosing not to provide the information requested.
DISCLOSURE TO THIRD PARTIES
In cases where Canfield believes business interests will be served, Canfield may share information (excluding account, credit card, and ordering information) with Canfield distributors who can alert customers to new products and services to improve competitive edge. If customers receive unwanted marketing materials from any of our distributors, they can request to be removed from their contact lists.
Personal Information (PI) may be disclosed by Canfield to judicial or other government agencies subject to warrants, subpoenas, or other governmental orders in accordance with applicable law.
COLLECTING DOMAIN INFORMATION
Canfield collects domain information as part of its analysis of the use of its website. This data enables us to become more familiar with which customers visit our site, how often they visit, and what parts of the site they visit most often. Canfield uses this information to improve its web-based offerings. This information is collected automatically and requires no action on the customer’s part.
Canfield also uses web cookies on this site. The type of information we collect includes the pages visited, files downloaded, type of browser used, etc. This information helps us to learn what pages are most attractive to our visitors, which of our products most interests our customers, and what kinds of offers our customers like to see.
Cookies cannot read data off hard drives. Web browsers may allow notification when a cookie is received, giving web users the choice to accept it or not. By not accepting cookies, some pages may not fully function and users may not be able to access certain information on this site.
PROTECTING OUR CUSTOMERS
Protecting and securing Personal Information (PI) is Canfield's top priority.
Canfield has put the appropriate administrative, technical, and physical safeguards in place to protect individuals’ personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction.
We prevent unauthorized access by a secure firewall and through the use of a security infrastructure to protect the integrity and privacy of subject information. We also keep subject Personal Information (PI) secure by encrypting any transfers of Personal Information (PI).
At Canfield, only authorized personnel will have access to Personal Information (PI) when it pertains to their job responsibilities.
Canfield seeks to use reasonable organizational, technical, and administrative measures to protect Personal Information (PI), but subjects should be aware that any electronic means of communication may carry some level of risk and that no data transmission or storage system can be guaranteed as 100% secure.
TRANSFER OF PERSONAL DATA
As part of the Canfield’s responsibility for clinical trials, Canfield often receives Personal Information (PI) collected about subjects by the Investigative sites located all over the globe, including the EEA, Switzerland, and UK.
Data transfers to the countries outside the EU are deemed not to have an “adequate level of data protection.” For American based companies, one of the best mechanisms for providing such adequate data protection is the EU-U.S. and Swiss-U.S. Privacy Shield program run by the U.S. Department of Commerce.
EU-U.S. and Swiss-U.S. Privacy Shield is a self-regulatory mechanism under which U.S. based companies can voluntarily agree to abide by a set of principles negotiated between the United States government and the European Commission. Transfers made to a Privacy Shield certified company in the United States are deemed as having an adequate level of data protection.
For more information about the EU-U.S. Swiss-U.S. Privacy Shield Framework please visit, www.privacyshield.gov.
Canfield has self-certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and complies with the principles of these frameworks.
Canfield’s commitment under the Privacy Shield extends to personal data received from the United Kingdom (UK) in reliance on Privacy Shield. In this regard Canfield commits to cooperate and comply with the UK Information Commissioner’s Office with regard to personal data received.
Advisory: Please note that as of July 16, 2020, Canfield no longer relies on the EU-U.S. or the Swiss-U.S. Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S. We may continue to rely on alternative data transfer mechanisms deemed appropriate by the relevant authorities to transfer data collected from the EEA, Switzerland, and the UK to the U.S., such as Standard Contractual Clauses (SCCs).
CANFIELD AS A DATA PROCESSOR
When participating in clinical trials and offering services to its clients Canfield acts as a Data Processor as defined in the General Data Protection Regulation (GDPR). This means that Canfield does not make independent decisions regarding personal data received from EEA, Switzerland, and/or the UK nor owns or controls such personal data, and as such only processes it under instructions from the Data Controllers.
Canfield processes personal data for clinical trials (such as photographs, dates when photographs were taken, data subject coded identifiers which may include some of the following: initials, year of birth, etc.). Where possible, Canfield only receives pseudonymized data from EU, Switzerland, and the UK. Pseudonymization is a type of processing of personal data in a way that the data can no longer be attributed to a specific subject without the use of additional information.
Canfield processes personal data (such as name, address, email addresses, IP address of computer, login time and day, pages viewed in electronic form from its customers in the EEA, Switzerland, and the UK (e.g., institutions, physicians, aesthetic, and retail establishments, etc.)).
CANFIELD AS A DATA CONTROLLER
When providing services to its clients Canfield may act as a Data Controller. If Canfield has a need to use subject’s personal data, subject’s consent will be obtained first with the explicit description of uses of subject’s data.
DATA PROTECTION OFFICER (DPO)
Canfield has appointed a Data Protection Officer (DPO), who is responsible for matters relating to privacy and data protection at Canfield. If subjects have any questions about collection or storage of their personal data, please contact Canfield’s DPO using the information provided below.
Canfield Scientific, Inc.
4 Wood Hollow Road
Parsippany, NJ 07054
Canfield’s DPO – Tanya Demerjian
To comply with Article 27 of the GDPR, Canfield has also appointed an EU Representative in the Netherlands. Subjects can reach Canfield EU Representative at:
Canfield Scientific Europe, BV
Proostwetering 28A, 3543 AE
+31 (30) 241-2131
Canfield’s EU Representative – Peter Kollias
Canfield recognizes its adherence to the Privacy Principles (Principles) as follows:
NOTICE / TRANSPARENCY / ACCESS / RECTIFICATION
Every data subject has the right to know about the purpose(s) for which their personal data is being collected, what personal data about them is collected, whom they can contact to inquire about their data, and how to file a complaint if necessary.
As Canfield does not directly communicate with data subjects (clinical research participants) due to the nature of the agreements with the Data Controllers, Canfield assures that Data Controllers provide the data subjects with their right of notice.
Data Controllers are responsible for providing data subjects with their rights to know what data about them is being collected, for what purposes, and to whom outside of the EEA, Switzerland, and the UK it has been or will be transferred to.
Personal data may be disclosed by Canfield to judicial or other government agencies subject to warrants, subpoenas, or other governmental orders in accordance with applicable law.
Data subjects must be given access to the personal data that Canfield holds about them. They should also be able to correct, amend, or delete this information where it is inaccurate.
Due to processing of clinical research data, there may be limitations for data subjects to access their data during the course of a clinical trial. This is because clinical research and its results must be protected from jeopardization. After the clinical trial has concluded, data subjects may request to exercise their right to access their data with the Data Controllers. If Canfield receives a request from the data subjects, such request will be forwarded to the applicable Data Controller.
If personal data needs to be corrected, please contact Data Controller (for clinical research - Clinical Research Site/Sponsor: for services other than clinical – the Representative at the place of business).
CHOICE AND ONWARD TRANSFER
Canfield acknowledges that data subjects must be provided with the option to choose whether or not their personal data can be disclosed to third parties and used for purposes other than those for which it was collected.
It is the responsibility of the Data Controllers to provide this choice to the data subjects. This responsibility is ensured by the contractual obligations between Canfield (Data Processor) and its customers (Data Controllers) in the EEA, Switzerland, and the UK.
Personal data obtained by Canfield from data subjects in the EEA, Switzerland, and the UK will not be disclosed by Canfield without proper consent. If Canfield intends to use such personal data for purposes other than those for which it was intended, Canfield will obtain proper consent directly from the data subjects.
When providing services to its customers, Canfield may need to share an individual’s Personal Information (PI) with its subcontractors (Data Centers, Reviewers participating in Independent Panel Reviews, outside statistical services etc.). Canfield obtains assurances that its subcontractors can guarantee compliance with this policy and provide an adequate level of protection and security (in alignment with the Principles) with regards to personal data obtained from the EEA, Switzerland, and the UK.
If data is transferred to third parties, Canfield remains liable and assures the parties have the same or higher level of data protection.
Subjects can opt out of receiving marketing materials (right to object) by contacting Canfield distributors or by sending an e-mail to: DPO@CanfieldSci.com
ERASURE AND RESTRICTION OF PROCESSING
Every data subject has a right to erasure (to be forgotten) and the right to restrict processing of their data.
As Canfield acts strictly under the instructions from the Data Controllers, all requests for erasure and rectification must be forwarded to the Data Controllers. Canfield will destroy or rectify subjects’ data when and in a manner that is directed by the Data Controllers.
Additionally, due to Regulatory and contractual requirements for clinical studies, Canfield will store subjects’data for a period of time no less than fifteen (15) years.
Canfield will provide Data Controllers with subjects’ data it holds based on agreements between Canfield and Data Controllers. Data Subjects must contact Data Controllers to exercise their right to data portability (if applicable).
Canfield processes personal data received from EEA, Switzerland, and the UK based on the informed consent.
In clinical trials, investigative sites are responsible to ensure consent is freely given, specific and unambiguous.
Canfield will use personal data obtained from the EEA, Switzerland, and the UK explicitly for the purposes such information was collected. Canfield will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current. Data collected under the EU-U.S. Privacy Shield will remain subject to these principles for as long as it is retained.
Canfield is committed to comply with this Policy and will periodically verify and confirm that it is accurate, up to date, and in compliance with the Principles. We encourage our customers who have concerns or questions regarding this Policy to contact Canfield’s DPO at DPO@CanfieldSci.com or at the mailing address below:
Attn: Data Protection Officer
Canfield Scientific, Inc.
4 Wood Hollow Road
Parsippany, NJ 07054
United States of America
Data subjects should submit complaints concerning the processing of their personal data to the applicable Data Controllers in the EEA, Switzerland, and the UK responsible for collecting their information in accordance with the relevant dispute resolution mechanism.
Canfield has chosen Privacy Trust as its dispute resolution mechanism. If subjects have a concern or complaint about Canfield’s privacy practices, subjects can contact us directly, or contact Privacy Trust at the following address: http://www.privacytrust.com/drs/canfield
Privacy Trust will handle any disputes free of charge to the person raising them. Canfield will respond to all complaints within forty-five (45) days.
Subjects may also invoke Binding Arbitration to resolve any complaints in accordance with Privacy Shield Annex I before the Privacy Shield Panel.
Subjects also have a right to lodge a complaint with the supervisory authority in the EEA, Switzerland, and the UK.
A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
Canfield is also subject to the investigatory and enforcement powers of the US FTC (Federal Trade Commission).
Canfield’s Data Protection Officer (DPO) will ensure the enforcement of this Policy.
Any Canfield employee who violates this Policy will be subject to disciplinary action that may result in the termination of their employment with Canfield.
Canfield reserves the right to amend this Policy at any time to ensure its compliance with the Principles or applicable data protection regulations.
This policy is effective as of 03 September 2014 and was last updated 19 January 2022.