EU-US and Swiss-US Privacy Shield
Certara (hereafter “the Company”) cares about the privacy of its clients and business partners. The purpose of this policy is to provide its clients and business partners with information about what personal data the Company collects, why we collect it, how we use and handle it, individuals’ rights to access any personal data collected from them and their choice or consent related to limitations on how it is shared.
This policy also describes a point of contact in the organization where complaints about Certara’s handling of personal data can be directed, and information about how the Company is held accountable for safeguarding any personal data, should it be stored or transferred by Certara.
Certara agrees to adhere to the following Privacy Principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, which are addressed herein (see also www.privacyshield.gov).
I. Types of Personal Data Collected
Certara receives personal information from customers or individuals who participate in clinical trials for the purposes of modeling and simulation analyses. While the data cannot be reasonably used to identify an individual, Certara has access to data collected at the individual level.
Materials received from clients may include the following information about subjects or employees:
- Name, signature and/or initials, and contact information.
- Patient/ subject identifier codes.
- Physical and/or mailing address.
- Study roles.
- Non-academic titles, academic qualifications, and academic titles.
- Company name, organizational titles, and departments.
- Birth date and age.
- Date of death.
- Sex/gender, ethnicity, and race.
- Height, weight, BMI, and other medical data.
- Financial information, such as that which could be used to process invoices and payments. Examples include: billing addresses, financial institution names, and account and routing numbers.
II. Data Integrity and Purpose Limitation (Uses for Personal Data)
Certara receives source documents from clients to create documentation associated with drug development and lifecycle support activities, including sales, marketing and submissions to regulatory bodies worldwide. These documents may contain personal data. In addition, personal data may also be collected as part of the process of creating named user accounts that grant access to Certara systems. Access to files and computer systems, as well as to the personal information collected in connection with business, marketing, sales and account creation activities, is limited to the employees or contractors who have a legitimate business need. Document access controls are detailed in Certara’s Standard Operating Procedures (SOPs).
III. Security, Choices, and Access
In providing products and services that involve the transfer of personal data, Certara is acting as a data processor of client-controlled data. Certara acknowledges the individual’s right to access their personal data. An individual who seeks access or who seeks to correct, amend, or delete inaccurate data, should direct their written request to Adebayo.Olowoyeye@certara.com.
In addition, to protect this data and mitigate risk of a data breach, Certara employs the following security measures:
- Physical and logical access controls that limit who can access personal data based on business need.
- Privacy policies on which employees train annually.
- Privacy officer and Incident Response Team that field complaints.
- Business Continuity Plan that contains incident response plans for escalation and resolution of data breach incidents.
IV. Accountability for Onward Transfer
In providing products or services that involve the transfer of personal data, Certara is acting as a data processor of client-controlled data, and after providing services to the client using the personal information, the information is destroyed, archived, or returned to the client per applicable SOPs and client agreements, not transferred onto any third parties.
If Certara transfers personal data to a third party, the recipient should have the same level of protection as is available under Privacy Shield. Certara will notify the recipient if it makes a determination that it can no longer meet this obligation. In those cases, Certara remains responsible and liable if third-party agents that it engages to process personal data do so in a manner inconsistent with the Principles, unless Certara proves that it is not responsible for the event giving rise to the damage. Certara does not sell, trade or transfer personal data to third parties. However, Certara may share User information with business partners for marketing, advertising or product/service offering purposes. For example, Certara may provide User Information to select service providers for direct email distribution of newsletters, on-line surveys, or notifications.
If an EU individual wishes to opt out or limit the use and disclosure of their personal data to a third party or a use that is incompatible with the purpose for personal data was originally collected or authorized, they should direct their written request to Adebayo.Olowoyeye@certara.com.
Third parties that are not Certara employees who could have access to the personal data described herein include individual contractors. The integrity and security of the personal data transferred to these third parties are protected by requirements to train on Certara privacy and confidentiality policies and/or contractual terms.
In addition, Certara may be required to disclose personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
V. Recourse, Enforcement, and Liability
A. Point of Contact for Complaints or Questions
Individuals have the ability to contact Certara regarding any questions or concerns related to its collection or handling of their personal data.
VP, Corporate IT, Certara
B. US Subsidiaries of Certara adhering to the Privacy Shield Principles
Certara USA, Inc.
Quantitative Solutions, Inc.
Synchrogenix Information Strategies LLC
C. Verification Procedures
Certara verifies that it conforms to Privacy Shield principles via the following:
- Individuals are informed of any in-house arrangements or independent mechanisms for handling complaints (found herein).
- It has established procedures for training employees in its implementation, including consequences for failure to follow it.
Certara recognizes that it must respond promptly to Department of Commerce inquiries.
D. Consequences of Non-compliance
In conjunction with its certification with the EU Privacy Shield, Certara uses Better Business Bureau (BBB) EU Privacy Shield as its Independent Recourse Mechanism (IRM), and by self-certifying with Privacy Shield, it is subject to the investigatory and enforcement authority of the Federal Trade Commission.
The incident response team consists of membership from Information Technology, Human Resources and Quality Assurance. Suspected and confirmed security breach incidents will be investigated by the team to identify the source of the breach, identify the types of data compromised and determine who will be notified. If a data breach is suspected or confirmed, the team with the Chief Information Officer as the chair will:
- Determine if any outside security experts should be consulted and engage those experts if needed.
- Inform the applicable insurance company of any confirmed incident.
- Inform the appropriate Certara attorney of any confirmed incident.
- Determine if notification of any individuals or persons (including governmental authorities) is required by law and comply with any such applicable law.
- Work with Marketing to develop and communicate to Certara personnel appropriate responses to questions from customers/clients regarding the incident.
- Document the suspected/confirmed incident
Certara has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Under certain limited conditions, individuals may invoke last-resort binding arbitration before the Privacy Shield Panel to be created by the US Department of Commerce and the European Commission.
Effective Date 15 October, 2018