This privacy statement describes how the Stichting Centre for Human Drug Research (CHDR) collects, processes, stores, protects, transfers and deletes personal data. It also explains for which activities we process the data and on what legal basis we do so. The sharing of data with other parties is set out below, as well as the processing of personal data outside the EU. The security of personal data is explained, together with the retention terms. This policy also details your rights as a data subject and what you need to do if you wish to file a complaint.

Our vision on privacy

As an independent institute that specialises in clinical drug research, combining innovative methods, technologies, and state-of-the-art facilities, your privacy is of the utmost importance to us. CHDR makes every effort to ensure that personal data is processed carefully and securely. Your trust in us is paramount, and we will do whatever is necessary to protect your privacy.

Where the processing of personal data is concerned, we take the following principles into account:

· Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;

· Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

· Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

· Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

· Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

· Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.

Scope

This privacy statement applies to CHDR’s processing of personal data in the context of its establishment in the European Economic Area (the EEA). This privacy statement describes how we collect and use your personal data in connection with:

· Your registration of interest, through our website, in participating in one of our future clinical research studies (Potential Participant);

· Your participation in one of our clinical research studies (Participant);

· Your participation in the past in one of our clinical research studies which has been finalised (Former Participant);

· Your use of our website(s) or apps (Online Visitor);

· Our employee recruitment processes (Applicant);

· Procurement and potential procurement matters (Vendor).

This Privacy Statement does not apply to personal information that we may collect in the context of your employment or other working relationship with CHDR.

The role of CHDR

This privacy statement is provided on behalf of CHDR as data controller. Depending on the clinical research study, other entities may act as joint data controller in relation to your personal data. On that occasion we will provide you with the name of the joint data controller when we collect your personal information, and we will supply you with an adequate privacy notice.
When acting in the capacity of data controller, CHDR will take the principles of personal data processing, as described, into account. When acting in the capacity of data processor, CHDR will apply these principles in line with the instructions provided by the Controller. CHDR shall inform the Controller if CHDR is of the opinion that any instruction from the Controller is in conflict with the principles described above.

Information we collect

We may collect your personal data. “Personal data” means any information relating to an identified or identifiable natural person. Depending the nature of your contact with CHDR, personal data may include:

· Contact information, such as name, address, phone number or email address;

· Financial information, such as bank account number or billing address;

· Demographic information, such as postcode;

· Recruitment information, such as CV, employment history and qualifications;

· Online identifiers, such as IP address;

· Information to confirm your identity, such as a passport or identity card if we are obliged to do so by local law;

· Health data, if you participate in one of our clinical studies;

· Biometric data, if you participate in one of our clinical studies;

· Genetic data, if you participate in one of our clinical studies;

· Image information, if you participate in one of our clinical studies, or when you visit our premises where we use closed circuit television (CCTV); and

· Any other information that you provide to us that can be used to identify you.

We collect personal data via:

· Your direct interaction with us, when you volunteer to participate in one of our clinical research studies;

· Cookies and automated technologies, such as when you visit our websites;

· Security systems, such as when you visit our premises we may obtain CCTV footage; and

· Social media, such as our use of Facebook, Instagram and other social media to market our services/products. Generally we will not use your personal data for such purposes, but if we do so, we will only share names, e-mail addresses and in some cases mobile phone numbers with such parties (audience targeting).

How we collect and use your personal data

Below is an overview of the personal data we collect, including the sources of personal data, how we may use the data, for which purposes we may use it, and the legal basis thereof.
Any other purposes for which we wish to use your personal data that are not listed above, or any changes we propose to make to the existing purposes, will be notified by amending this privacy statement in accordance with the section titled ‘Changes to this Privacy Statement’.


How we may share your personal data

We may share personal data:

· if required to do so by law and/or regulations;

· with the third parties stated in the Informed Consent Form you signed, such as the sponsor of the study you are a participant in, or medical institutions;

· with service providers that carry out functions or services on our behalf that enable our operations. This includes our IT applications and systems, website analytics and search engine providers. This also includes the protection and securing of our systems and services.

We do not sell your personal data to anyone.

Retention of personal data

We will retain your personal data for as long as is necessary in order to fulfill the purposes for which we collected it, including any legal requirements. To determine the retention period, we take the following into account:

· Whether we are subject to any legal obligation, such as the regulation on Clinical Trials and the Dutch Medical Treatment Act;

· Whether retention is required considering our legal position (such as for statutes of limitations, litigation or regulatory investigations); and

· The length of time that we have an ongoing relationship with you, and provide our services to you (for example, for as long as you are subscribed to one of our newsletters).


If we have not had any meaningful contact with you during a period of 5 years, we shall delete your data, unless the law or relevant regulators require us to retain it for a longer period of time.

If you are a website visitor, the retention period at user level and for events associated with cookies, user IDs and advertising IDs can be found in our cookie statement.

At the end of the retention period, we will delete your personal data in a manner designed to ensure that it cannot be reconstructed.

How to exercise your privacy rights

You have the following rights with regard to your Personal Data:

· Right to access information about how we process your personal data, including the categories of personal data we process, recipients of your Personal Data, and purposes for our processing.

· Right to rectification of inaccurate Personal Data concerning you, as well as, taking into account the purposes of the processing, the right to have incomplete Personal Data completed.

· Right to erasure (deletion) of Personal Data concerning you where: (a) the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you withdraw your consent and there are no other legal grounds for the processing; (c) you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing; (d) the Personal Information has been unlawfully processed; or (e) the Personal Data have to be erased for compliance with a legal obligation applicable to us.
Please note that the obligations of clinical trials legislation may impede the exercise of certain rights in order, for example, to maintain the integrity of clinical trial data.

· Right to restriction of processing (i.e., data will be blocked from normal processing but not erased) where: (a) you contest the accuracy of the Personal Data, for a period enabling us to verify the accuracy; (b) the processing is unlawful and you oppose the erasure of the Personal Data and requests the restriction of their use instead; (c) we no longer need the Personal Data for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims; (d) you exercise your right to object (see below) pending the verification of whether our legitimate grounds override yours.

· Where processing is based on your consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing prior to such withdrawal. Please note that even after you have chosen to withdraw your consent we may be able to continue to process your Personal Data in some limited circumstances.
Please note that the obligations of clinical trials legislation may impede the exercise of certain rights, for example, in order to maintain the integrity of clinical trial data. If you are or have been a participant in a clinical trial, you have been provided with additional, study-specific information by CHDR.

· Where processing is based on your consent, or on a contract, the right to data portability, i.e. the right to obtain a copy of the data concerning you in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from us.

· Right to object to the processing of Personal Data based on our legitimate interests, provided that there are no compelling legitimate grounds for the processing that would override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If you wish to exercise any of your rights above, please contact us using the information in the section How To Contact Us at the end of this Privacy Statement.
Again please note that the obligations of clinical trial legislation may impede the exercise of certain rights, for example, in order to maintain the integrity of clinical trial data. If you are or have been a participant in a clinical trial, you have been provided with additional, study-specific information by CHDR.

We may charge you a reasonable fee in the case that you request additional copies of your Personal Data or make excessive requests. If we are unable to honour your request, or before we charge a fee, we will inform you of the reasons why. Insofar as is practicable and required under law, we will notify third parties with whom we have shared your Personal Data of any request for correction, deletion, and/or restriction to the processing of your Personal Data. Please note that we cannot guarantee third parties will follow up on our notification and we encourage you to contact those third parties directly.

Security and protection of your personal data

We implement appropriate technical and organisational measures to ensure the personal data we process is protected from unauthorised access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations. Unfortunately, no data transmission or storage system can be guaranteed to be completely secure and we cannot fully guarantee the security of personal data.

International transfers of personal data

CHDR performs research in collaboration with partners located in different parts of the world. CHDR is committed to complying with this privacy statement and with European Data Protection Laws regarding information transferred outside the European Economic Area (EEA). The laws in countries outside the EEA may not be as strict as the laws in within the EEA. In light of this, CHDR has taken measures to protect your privacy and fundamental rights when your personal data is transferred outside the EEA and to other countries where no adequacy decisions of the European Commission apply.
This includes the use of appropriate safeguards such as standard contractual clauses and safe transfer protocols to ensure adequate protection.

When personal information collected by CHDR is transferred outside the European Economic Area (EEA), detailed information can be found in the Informed Consent Form that you will be or have been provided with. Note that we may contract service providers outside the EEA for anti-malware and anti-spam filtering on email addresses.

How to contact us

If you have any questions about our privacy statement, if you wish to exercise your rights or if you wish to lodge a complaint, please contact us.

By email: DPO-gegevensbescherming@chdr.nl

By post:

    Centre for Human Drug Research

    Attn.: Data Protection Officer

    Zernikedreef 8

    2333 CL Leiden

    The Netherlands

You can always contact our Data Protection officer by phone: +31 (0)71 5246439

You always have the right to lodge a complaint with your local Data Protection Authority.

Changes to this Privacy Statement

The Effective Date of this Privacy Statement is set forth at the bottom of this statement. In case of material changes to the way we treat your personal data, we will notify you by posting a notice on our website. The most recent version of our Privacy Statement can always be found on our website.

Effective: January 2020

Contact CHDR