This privacy statement describes how the Stichting Centre for Human Drug Research (CHDR) collects, processes, stores, protects, transfers and deletes personal data. CHDR also explains for which activities we process the data and on what legal basis we do so. The sharing of data with other parties will be described, as well as the processing of personal data outside the EU. The security of personal data is dealt with together with the retention terms. We have also detailed your rights as a data subject and what you need to do should you wish to file a complaint.

Introduction

This privacy statement describes how the Stichting Centre for Human Drug Research (CHDR) collects, processes, stores, protects, transfers and deletes personal data. CHDR also explains for which activities we process the data and on what legal basis we do so. The sharing of data with other parties will be described, as well as the processing of personal data outside the EU. The security of personal data is dealt with together with the retention terms. We have also detailed your rights as a data subject and what you need to do should you wish to file a complaint.

Our vision on privacy

As an independent institute that specialises in clinical drug research, combining innovative methods and technologies, state-of-the-art facilities your privacy is of the utmost importance to us. CHDR makes every effort to ensure that we process personal data carefully and securely. It is evident that you have confidence in our centre and we will do whatever is necessary to protect your privacy. We will take the following principles relating to processing of personal data into account:

· Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;

· Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

· Data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

· Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

· Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

· Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.

Scope

This privacy statement applies to CHDR’s processing of personal data in the context of its establishment in the European Economic Area (the EEA). This privacy statement describes how we collect and use your personal data in connection with:

· If you are interested in participating in one of our future clinical research studies and you register through our website (Potential Participant);

· Your participation in one of our clinical research studies (Participant);

· Your participation in the past in one of our clinical research studies which has been finalised (Former-Participant);

· Your use of our of our website(s) or apps (On-Line Visitor);

· Our employee recruitment processes (Applicant);

· Procurement and potential procurement matter (Vendor).

This Privacy Statement does not apply to personal information that we may collect in the context of your employment or other working relationship with CHDR.

The role of CHDR

This privacy statement is provided on behalf of CHDR as data-controller. Depending on the clinical research study different entities may be joint data-controller in relation to your personal data. On that occasion we will provide you with the name of the joint data-controller when we collect your personal information and we will supply you with an adequate privacy notice.
CHDR will take the principles of processing personal data as described into account when acting in the capacity as data controller. When CHDR acts in the capacity of data processor, CHDR will apply these principles in line with the instructions provided by the Controller. CHDR shall inform the Controller if CHDR is of the opinion that any instruction from the Controller is in conflict with the principles described above.


Information we collect

We may collect your personal data. “Personal data” means any information relating to an identified or identifiable natural person. Depending on how you have contact with us personal data may include:

· Contact information, such as name, address, phone number or email address;

· Financial Information, such as bank account number or billing address;

· Demographic information, such as zip/postal code;

· Recruitment information, such as resume, work history and qualifications;

· Online Identifiers, such as IP address;

· Information to identify you, such as a passport or identity card if we are by local law obliged to do so;

· Health data, if you participate in one of our clinical studies;

· Biometric data, , if you participate in one of our clinical studies;

· Genetic data, if you participate in one of our clinical studies;

· Image information, if you participate in one of our clinical studies, or when you visit our premises where we use closed circuit television (CCTV); and

· Any other information that you provide us that can be used to identify you.

We collect personal data from:

· Direct interaction with us, when you volunteer to participate in one of our clinical research studies;

· Cookies and automated technologies, such as when you visit our websites;

· Through Social Media, we will be able to use Facebook, Instagram and other social media for marketing our services/products. Generally we will not use your personal data for such purposes, but if we do so, we will only be able to share names, e-mail addresses and in some cases mobile phone numbers with such parties (audience targeting).

· Security systems, such as when you visit our premises we may obtain CCTV footage;


How we collect and use your personal data

Below is an overview of the personal data we collect, the likely source of the personal data, how we may use it, and for what purposes and based on what legal basis.
Any other purposes for which we wish to use your personal data that are not listed above, or any changes we propose to make to the existing purposes will be notified to you by amending this privacy statement in accordance with the section titled ‘changes to this privacy statement’.


How we may share your personal data

We may share personal data:

· If so required by law and/or regulations;

· With the third parties stated in the Informed Consent Form you signed with us, such as the sponsor of the study you participate in or medical institutions.

· With service providers that carry out functions or services on our behalf that enable our operations. This will include our IT applications and systems, website analytic and search engine providers. This includes protection and securing of our systems and services.

We do not sell your personal data to anyone.


Retention of personal data

We will retain your personal data for as long as necessary to fulfill the purposes we collected it for, including any legal requirement. To determine the retention period we take into account:

· Whether there is a legal obligation to which we are subject, such as the regulation on Clinical Trial studies and the Dutch Act on Medical Treatment;

· Whether retention is required considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations);

· If you are a website visitor the retention period at user level and at events associated with cookies, user IDs and advertising IDs can be found in our cookie statement.

· The length of time we have an ongoing relationship with you and provide our services with you (for example, for as long as you have a subscription to one of our newsletters).

· If we have not had any meaningful contact with you during a period of 5 years, we delete your data, unless the law or relevant regulators require us to retain it for a longer period of time.

At the end of the retention period, we will delete your personal data in a manner designed to ensure that it cannot be reconstructed.

How to exercise your privacy rights

You have the following rights with regard to your personal data:

· Right to access information about how we process your personal data, including the categories of personal data we process, recipients of your personal Data, and purposes for our processing.

· Right to rectification of inaccurate Personal Data concerning you, as well as, taking into account the purposes of the processing, the right to have incomplete Personal Data completed.

· Right to erasure (deletion) of Personal Data concerning you where: (a) the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you withdraw your consent and there are no other legal grounds for the processing; (c) you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing; (d) the Personal Information have been unlawfully processed; or (e) the Personal Data have to be erased for compliance with a legal obligation applicable to us.
Please note that the obligations of clinical trials legislation may impede the exercise of certain rights in order, for example, to maintain the integrity of clinical trials data.

· Right to restriction of processing (i.e., data will be blocked from normal processing but not erased) where: (a) you contest the accuracy of the Personal Data, for a period enabling us to verify the accuracy; (b) the processing is unlawful and you oppose the erasure of the Personal Data and requests the restriction of their use instead; (c) we no longer need the Personal Data for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims; (d) you exercise your right to object (see below) pending the verification whether our legitimate grounds override those of you.

· Where processing is based on your consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing prior to such withdrawal. Please note that even after you have chosen to withdraw your consent we may be able to continue to process your Personal Data in some limited circumstances.
Please note that the obligations of clinical trials legislation may impede the exercise of certain rights, for example, in order to maintain the integrity of clinical trials data. If you are or have been a participant in a clinical trial you have been provided with additional, study specific information by CHDR.

· Where processing is based on your consent, or on a contract, the right to data portability, i.e. the right to obtain a copy of the data concerning you in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from us.

· Right to object to the processing of Personal Data based on our legitimate interests, provided that there are no compelling legitimate grounds for the processing that would override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If you wish to exercise any of your rights above, please contact us using the information in the section “How To Contact Us” at the end of this Privacy Statement.
Again please note that the obligations of clinical trials legislation may impede the exercise of certain rights, for example, in order to maintain the integrity of clinical trials data. If you are or have been a participant in a clinical trial you have been provided with additional, study specific information by CHDR.

We may charge you a reasonable fee in case you request additional copies of your Personal Data or make excessive requests. If we are unable to honour your request, or before we charge a fee, we will inform you know why. In so far as practicable and required under law, we will notify third parties with whom we have shared your Personal Data of any request for correction, deletion, and/or restriction to the processing of your Personal Data. Please note that we cannot guarantee third parties will follow up on our notification and we encourage you to contact those third parties directly.


Security and protection of your personal data

We implement appropriate technical and organizational measures to ensure the personal data we process is protected from unauthorized access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations. Unfortunately, no data transmission or storage system can be guaranteed to be completely secure and we cannot fully guarantee the security of personal data.


International Transfers of personal data

CHDR performs research in collaboration with partners located in different parts of the world. CHDR has committed herself to comply with this privacy statement and the European Data Protection Laws with regard to information transferred outside the European Economic Area (EEA). The laws in other countries outside the EEA may not be as strict as the laws in Europe. Because of this, CHDR has taken measures to protect your privacy and fundamental rights when your personal data is transferred outside the EEA and other countries where no adequacy decisions of the European Commission apply.
This means that CHDR uses appropriate safeguards such as standard contractual clauses and safe transfer protocols to ensure adequate protection.

When personal information collected by CHDR is transferred outside the European economic area (EEA), detailed information can be found in the Informed Consent Form that you will or have been provided with.


How to contact us

If you have any questions about our privacy statement, do you want to exercise your rights or do you want to lodge a complaint? Please contact us:

By mail DPO-gegevensbescherming@chdr.nl

By postmail Centre for Human Drug Research

Attn.: Data Protection Officer

Zernikedreef 8

2333 CL Leiden

The Netherlands

You can always contact our Data Protection officer by phone +31 (0)6 5023 8606

You have always the right to lodge a complaint with your local Data Protection Authority.

Changes to this Privacy Statement

The Effective Date of this Privacy Statement is set forth at the bottom of this statement. In case of material changes to the way we treat your personal data, we will notify you by posting a notice on our website. The most recent version can always be found at our website

Effective: February 2019


Contact CHDR