EU/Swiss Privacy Shield Statement
EU/Swiss Privacy Shield Statement
Certara Privacy Statement – effective as of 1-October-2019
Certara Holding, Inc., with each its subsidiaries (which includes Certara USA, Inc.) (hereafter “Certara”, “the Company”, “we” or “us) is committed to protecting and respecting your privacy. This privacy statement provides information about what personal information Certara collects, why we collect it, how we use and handle it, individuals’ rights to access their personal data and their choice or consent related to limitations on how it is shared.
This privacy statement also describes a means to contact us should you have any complaints or questions about how Certara processes personal data. It also provides information about how the Company is held accountable for safeguarding personal data.
Certara works hard to earn your trust. Our Security and Privacy Compliance Program demonstrates our commitment to protect data and adhere to the following Privacy Principles:
- Purpose Limitation
- Data Integrity
- Accountability for Onward Transfer
- Individual rights
- Requiring employees, contractors, and third party processors to comply with applicable law
- Recourse, Enforcement, and Liability, which are addressed herein (see also www.privacyshield.gov)
Please read the following carefully to understand our privacy practices regarding your personal information and how we process it.
Please note that for individuals located in the European Economic Area, the term “personal information,” as used in this Statement, is equivalent to the term “personal data” under applicable European data protection laws.
In accordance with Data Protection Regulations, personal data will be collected and processed for one or more of the following reasons; for performance of a contract, compliance with a legal obligation, for the legitimate business purposes of Certara, in the vital interests of an individual, to perform a task in the public interest or where we have received explicit consent.
You can exercise the right to review your personal data collected by Certara at any time to ensure it is complete and rectify inaccuracies by contacting us in the manner detailed below.
I. What Information We May Collect
We may collect and process personal information from you when:
- You visit our websites, in which case we may collect personal information such as traffic data, location data, weblogs and other communication data, and the resources that you access.
- You provide information by filling in webforms. This includes information provided at the time of registering to use any of the websites operated by Certara, logging on to one or more of those sites, subscribing to our services, or posting material or requesting further information. We may also ask you for information when you report a problem.
- You contact us, in which case we may keep a record of that correspondence.
- You complete surveys that we use for research purposes or to improve our products and services, although you do not have to respond to them.
- You (or your company) enter into a contract with us.
- You visit our corporate offices.
We also collect information about you from other publicly available sources, including third parties from whom we purchase personal data, and combine this information with personal data provided by you. This helps us to update, expand and analyze our records, identify new customers and create more tailored advertising to provide services that may be of interest to you. For example, third party providers supply us with business contact information, including mailing addresses, job titles, email addresses, phone numbers, social media profiles, LinkedIn URLs and custom profiles, for purposes of targeted advertising, delivering relevant email content, event promotion and profiling.
If you provide us or our service providers with personal data relating to other individuals, you represent that you have the authority to do so and permit us to use the personal data in accordance with this Statement. The types of Information about you that Certara may collect and process includes:
- Background information
- Contact Information
- Education and skills information
- Employment information
- Financial information
- Health and medical information
- Personal identifiers and biometric information
- Professional experience and affiliations
- User account and computer activity information
We may collect and process computer activity data from you when you access our websites and services, in which case we may collect information about your computer, including, where available, your IP address, operating system, browser type, the files viewed on our site (e.g., HTML pages, graphics), date/time stamp or clickstream data for system administration and to analyze trends.
We may also obtain information about your general internet usage by using a cookie file, which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalized service. They enable us to:
- Estimate our audience size and usage pattern;
- Store information about your preferences, and so allow us to customize our site according to your individual interests;
- Speed up your searches; and
- Recognize you when you return to our site.
Health and Medical Information
Certara is a global leader in advancing modern, efficient drug development. We provide modeling and simulation, regulatory and ‘real-world’ value assessment software and services. In partnership with our clients, we help reduce clinical trial burden, accelerate regulatory approval, and increase patient access to medicines. To provide these services, Certara may receive source documents from clients to create documentation associated with drug development and lifecycle support activities, including sales, marketing and submissions to regulatory bodies worldwide. Other personal information, including sensitive health and medical information, may be collected when interacting with hospitals, medical providers, and other third parties. We take appropriate steps to protect this information, where possible, including pseudonymization, encryption, or via other industry standard security and privacy controls.
Named User Accounts
Personal data may also be collected as part of the process of creating named user accounts that grant access to Certara systems. Access to files and computer systems, as well as to the personal information collected in connection with business, marketing, sales and account creation activities, is limited to the employees or contractors who have a legitimate business need. Document access controls are detailed in Certara’s Standard Operating Procedures (SOPs).
II. Why And How We May Use Your Personal Information
(Data Integrity and Purpose Limitation)
We may use your personal information for the following purposes:
- To communicate and respond adequately to your requests and inquiries to Certara;
- To provide our products and services in the performance of a contract. This includes updating, securing, troubleshooting, providing support, and sharing data , when required to provide the service you request;
- To improve and develop our products and services;
- To advertise and market our products and services to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers tailored to your company’s interests;
- To engage in transactions with customers and business partners and to process orders for our products and services;
- To operate our business, which includes analyzing our performance, meeting our contractual obligations, developing our workforce, and doing research; and
- To comply with applicable laws and regulations.
We may retain personal information for the following periods, consistent with the original purpose of collection:
- We determine the appropriate retention period for personal information on the basis of the amount, nature and sensitivity of the data processed, the potential risk of harm from unauthorized use or disclosure and whether we can achieve the purpose of the processing through other means, as well as on the basis of applicable legal requirements.
- Information we collect to engage in transactions with our customers and business partners, and to process purchases of our products and services, will be retained for the duration of the transaction or services period, or longer as necessary for record retention and legal compliance purposes.
- Contact information such as your email address or phone number collected online on our sites or offline from our interactions with you at Certara events and conferences, and used for direct marketing and sales activities will be retained for as long as we have an active (customer) relationship with you.
We will indicate if the provision of certain information is voluntary and you will be able to withdraw your consent or exercise your rights in relation to this information at any time as permitted or required by applicable law.
In the event that we use your personal information for other purposes, not specified above, we will inform you about the specific purposes for processing your personal information and, when required, our basis for doing so at the time we collect the personal information from you to the extent required by law.
III. How We Secure Your Personal Information And Your Choices And Access To Manage your Personal Information
(Security, Choices, and Access)
We use appropriate technical, organizational and administrative security measures to protect information we hold from loss, misuse, unauthorized access, disclosure, alteration or destruction. Our security procedures may request proof of identity before we disclose personal information to you.
We provide you multiple choices to manage the personal information we process about you and acknowledge your rights to access that personal data:
- Opt-out of our use of your personal information
You may withdraw consent you have previously provided for the processing of information about you, including for email marketing by Certara.
- Delete personal information
You can ask us to erase or delete all or some of the information about you.
- Change or correct personal information
You can edit some of the information about you by. You can ask us to change, update or fix information about you in certain cases, particularly if it is inaccurate.
- Object to, or limit or restrict use of personal information
You can ask us to stop using all or some of the information about you (for example, if we have no legal right to keep using it) or to limit our use of it (for example, if the information about you is inaccurate).
- Right to access and/or have your information provided to you
You can also ask us for a copy of information about you and can ask for a copy of information about you provided in machine readable form if you reside in the EU or other country that provides you this right as a matter of law.
You can exercise these choices through contacting us in the manner detailed below, in accordance with applicable laws.
IV. How We Share Personal Information We Collect
(Accountability for Onward Transfer)
Similar to other global companies, Certara shares your personal information with other third party providers for the purposes described in the Privacy Statement.
We may share your personal information with your consent or to complete any transaction or provide any product or service you have requested or authorized. We also share data with contracted service providers working on our behalf, when required by law or to respond to legal process, to protect our customers, to maintain the security of our products, and to protect the rights and property of Certara and its customers.
We share your personal information with third parties that provide services to help us with our business activities related to Certara websites, providing IT system administration and user support services, or offering customer service. Certara requires others, including those engaged to provide support services, to appropriately protect personal information and comply with applicable laws.
In our support of Population Health and other Health and Medical-related initiatives, we may share your personal information for treatment purposes and to ensure high standards of quality and safety of health care related to our medical devices and applications. We may also share personal information to comply with our legal or regulatory obligations including, but not limited to, our obligations related to adverse event reporting, pharmacovigilance, product safety and other reporting obligations or to respond to lawful requests by public authorities, including meeting national security or law enforcement requirements (e.g., to investigate fraud or respond to a government request). We may also disclose your personal information to third parties as necessary to investigate potential data incidents, or to protect the rights, property or safety of us, the users of our sites, or others.
In providing products or services that involve the transfer of personal data, Certara may be acting as a data processor of client-controlled data, and after providing services to the client using the personal information provided to us, the information is destroyed, archived, or returned to the client per applicable procedures and client agreements, not transferred to any third parties.
Certara might be involved in a merger, acquisition or sale of a portion of or all of its assets (Transaction) that includes your personal information. If Certara is involved in a Transaction, we will use reasonable efforts to notify via email and/or a notice on our websites of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.
If Certara transfers personal data to a third party, the recipient is required to maintain the same level of protection as Certara, consistent with the specifications called out in applicable frameworks, for example Privacy Shield. We will take appropriate contractual, technical, organizational and administrative measures designed to ensure that personal information is protected and processed only to the extent that such processing is necessary, consistent with this Statement, and in accordance with applicable laws. Certara will notify the recipient if it makes a determination that it can no longer meet this obligation. In those cases, Certara remains responsible and liable if third-party agents that it engages to process personal data do so in a manner inconsistent with the this Statement or our Privacy Shield Principles, unless Certara proves that it is not responsible for the event giving rise to the damage.
Certara does not sell, trade or rent personal data to third parties. However, Certara may share user information with business partners for marketing, advertising or product/service offering purposes. For example, Certara may provide user information to select service providers for direct email distribution of newsletters, on-line surveys, or notifications.
V. How To Resolve A Dispute Or File A Complaint
(Recourse, Enforcement, and Liability)
Similar to other global companies, personal information that we collect about you may be transferred to and stored at a destination outside of your country which has different data protection laws as compared to those in your country.
If you are located in the European Union/European Economic Area (the “EU/EEA”) the following terms apply to your personal information: Your personal information may be transferred to our global affiliates and to our employees and contractors who work for us and are located outside the EU/EEA for the purposes described in this Statement. If this is the case, we will take legally required steps under the General Data Protection Regulation (“GDPR”) to ensure that adequate safeguards are in place (e.g., standard contractual clauses or Privacy Shield certification) to protect your personal information in accordance with this Statement.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
Certara participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively “the Privacy Shield Frameworks” or the “Frameworks”). Certara is committed to processing all personal information it receives in the United States from EU member countries and Switzerland in reliance on the Privacy Shield Frameworks, in accordance with the Frameworks’ applicable principles. To learn more about the Privacy Shield Frameworks, and to view Certara’s certifications, visit the U.S. Department of Commerce’s Privacy Shield List (www.privacyshield.gov/list).
Certara is responsible for the processing of personal information it receives under the Privacy Shield Frameworks, and for any such personal information that it subsequently transfers to third parties, including third parties located outside the United States. Certara complies with the Privacy Shield Frameworks’ Principles for onward transfers of Personal Information obtained from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, Certara is subject to the regulatory enforcement powers of the U.S. Department of Commerce and the Federal Trade Commission. In certain situations, Certara may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your personal information. Individuals located within the EEA with inquiries or complaints regarding this Privacy Statement should first contact Certara in the manner detailed below.
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 30 or 45 days of receiving your complaint, depending your geographic location. Certara has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Under certain conditions, more fully described on the Privacy Shield website, individuals may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
In compliance with the Privacy Shield Frameworks’ Principles, Certara commits to resolve complaints about the collection or use of personal information under the Privacy Shield Frameworks. EU and Swiss individuals with inquiries or complaints regarding our compliance with the Privacy Shield Frameworks should first contact Certara using the contact details provided at the bottom of this Statement.
Certara has further committed to cooperate with the panel established by the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
The US subsidiaries of Certara adhering to the Privacy Shield Principle are:
- Certara USA, Inc.
- BaseCase, Inc.
- Quantitative Solutions, Inc.
- Synchrogenix Information Strategies LLC
- Analytica LASER International, Inc.
Outside of the EU
If you are located outside of the EU and have any complaints or questions about how Certara processes personal data, please contact us in the manner detailed below.
VI. How To Contact Us
If you have questions or concerns about this Privacy Statement, our information handling practices, or want to exercise your Data Subject Access Rights regarding your Personal Information, please contact us at firstname.lastname@example.org.
You may also write to us at:
Attn: Certara Privacy Office
100 Overlook Center, Suite 101
Princeton, NJ 08540 USA
You may also use the Certara Compliance line:
Call +1-844-330-7092 or go online: http://certara.ethicspoint.com/
- This resource is available 24 hours a day, 7 days a week. It is independent, secure, and confidential.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.
VII. Changes to the Privacy Statement
We will update this Privacy Statement from time to time to reflect changes in our practices, technologies, legal requirements and other factors. The “effective date” at the top of this Privacy Statement reflects the latest revision date. If we make a material update, we will provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided.