1 INTRODUCTION

This Privacy and Data Protection Policy establishes how BlueClinical handles the personal data of its employees, participants and/or potential participants in clinical studies, clients and/or potential clients, subjects who communicate safety information associated with the use of a medicinal product owned by a BlueClinical client, as well as any other interested parties in the scope of the performance of their activities.

2 RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

BlueClinical is responsible for processing the personal data of all interested parties in the scope of conducting its activities.

In case of a clinical study, BlueClinical may be delegated by the Sponsor of that clinical study, for the processing of the personal data collected during the study.

Within the scope of services provision activities, BlueClinical, as in the previous example, may be delegated by the marketing authorization holder for the processing of personal data collected during the use of the medicinal product.

3 COLLECTION OF PERSONAL DATA

Your personal data will be processed by BlueClinical in the following situations:

  • When establishing a relationship or a proposal of professional or commercial relationship with BlueClinical; and/or
  • By participating or applying for participation in clinical studies conducted by BlueClinical, or with the support of BlueClinical; and/or
  • By communicating a suspicion of reaction / adverse event to a medicinal product owned by a BlueClinical client; and/or
  • By giving consent to BlueClinical.

4 PURPOSE AND LEGAL BASIS FOR THE USE OF PERSONAL DATA

According to the General Regulation on Data Protection (GRPD), the use of personal data must be justified under at least one of the legal bases defined in the Regulation.

The personal data that we collect and process are essential so we can perform, in a proper way, the services we are offering. We do not collect information that is useless or unnecessary for the purposes for which it is intended. Also, we do not collect personal or professional information without obtaining the prior consent of the respective owner.

Your personal data are collected and used by BlueClinical for the following purposes: (i) compliance with obligations under the Law, (ii) execution of contracts, (iii) business relationship management, (iv) scientific research management, (v) evaluation of the interest of potential commercial relations, (vi) communication and marketing actions.

5 CATEGORIES OF PERSONAL DATA COLLECTED

The categories of personal data collected and processed by BlueClinical vary according to the purpose for which the data is intended.

BlueClinical has a “Personal Data Treatment Matrix”, which lists all categories of personal data that BlueClinical collects, by type of holder. The personal data holder has the right to know what data has been collected about her / him. At any time, the data holder may request a copy of the data matrix referring to the information collected about her / him, which should be made available through the email dpo@blueclinical.pt.

In the scope of Clinical Research, your personal data include your health and medical information (medical records or exams results). The collection of these personal data is needed for the clinical study conduct. You will not be able to participate in the study if you do not give your consent to  access and use such data.

6 PERSONAL DATA PROCESSING

The data provided regarding the relationship established with BlueClinical are processed in accordance with the applicable regulatory requirements, being namely:

  • Processed in a lawful, fair and transparent in relation to the data holder.
  • Used only to accomplish the purposes for which they were collected.
  • Used in an appropriate, relevant and limited way to what is necessary for the purposes for which they are processed.
  • Accurate and, if necessary, updated.
  • Kept only for the period necessary and legally permissible for the purposes for which they are processed.
  • Protected against loss, destruction or accidental and non-accidental damages, as well as unauthorized or unlawful processing.

7 COMMITMENT TO PROTECT YOUR PERSONAL DATA

We use a variety of security measures and authentication tools to protect and maintain security, as well as the integrity and availability of your personal data.

Although data transmission through the internet or our website can not guarantee complete security against intrusions from third parties, BlueClinical, its service providers and commercial partners, make the best efforts to implement and maintain the procedures, as well as the measures of physical and electronic security to safeguard your personal data.

We implemented, among others, the following measures:

  • Restricted access to personal data based on the criteria of “need to know” and only within the scope of the purposes arising from contractual or commercial relationships or expressly consented.
  • Protection of information technology systems through firewalls, in order to prevent unauthorized access to personal data.
  • Personal data in transit and/or at rest are protected by encryption mechanisms as, for example, the access to BlueClinical website that is done through a secure SSL connection (“Secure Sockets Layer”), the communication between the browser and the web server is done via protocol HTTPS.
  • Back-up policies to safeguard the information.
  • Monitoring and control of the physical and electronic accesses to information technology systems, to prevent, detect and prohibit the misuse of personal data.
  • Employees who are in contact or who are aware of personal data by virtue of the execution of their duties are bound by professional secrecy and/or confidentiality obligations.

8 RETENTION OF PERSONAL DATA

We retain your personal data only for as long as it is necessary for the purpose for which they were collected.

Once the maximum legal term of conservation has been reached, your personal data are anonymised or destroyed in a secure way.

9 SHARING OF PERSONAL DATA WITH THIRD PARTIES

BlueClinical only uses subcontractors that have adequate guarantees and safety standards, under the legally established terms. Subcontractors must comply with the documented instructions given to them by BlueClinical, must assume a confidentiality commitment or be subject to appropriate legal obligations of confidentiality and adopt security measures in the processing to comply with the GRPD.

10 AMENDMENT OR REMOVAL OF CONSENT

You may, at any time, change or withdraw your consent, with effect for the future.

Upon complete withdrawal of your consent, you are no longer contacted, as well as receive any communications intended for the purposes described in this Privacy Policy.

To change or withdraw your statements of consent, you must send an e-mail requesting the change or withdrawal of consent to the following e-mail addresses:

The total withdrawal of your consent to the data processing implies that the responsible by data processing completely ceases, from that moment, any processing of personal data, including the collection of new data, consultation and analysis of data already collected or the conservation of data. Once the consent has been withdrawn, BlueClinical will have to ensure that your data is erased, unless there is another legal basis for the respective processing.

However, when consent to use personal information for a clinical study is withdrawn, the participant will no longer be able to continue in the study, the data that has already been disclosed or published for research purposes cannot be withdrawn, and your data collected until at the time of withdrawal of consent may continue to be processed in order to comply with legal and regulatory obligations.

When the consent to use personal information for further investigations is withdrawn, the data that has already been disclosed or published for investigation purposes cannot be withdrawn and these can continue to be handled in a manner that complies with legal and regulatory obligations, or for other scientific research purposes, if permitted by applicable law.

11 RIGHTS OF DATA PROTECTION

If you have any question or complaint regarding our use of your personal data, you can contact us through the email dpo@blueclinical.pt (Data Protection Officer of BlueClinical).

Since we want to ensure that you are aware of your rights and under the applicable law, we want to inform you that:

  • Your personal data belongs to you, namely, it is your property. As such, you have the right to access, rectify, limit, erase, oppose to the processing thereof, in BlueClinical, and/or transfer them to another processing responsible, unless there is another legal basis for processing that does not allow to do it. If you exercise any of these rights we will proceed to the analysis of your request and we expect to respond within one month.
  • You have the right to make a complaint to the National Data Protection Commission (Comissão Nacional de Proteção de Dados, CNPD). More information about the CNPD can be obtained at the website www.cnpd.pt.

12 PERSONAL DATA BREACH

In the event of a personal data breach, BlueClinical will notify the CNPD, without undue delay and, whenever possible, within 72 hours after becoming aware of the breach, unless the breach does not present a risk to the rights and freedoms of the holders.

In addition to notifying the CNPD, BlueClinical will also notify you of the personal data breach, without undue delay, when this breach entails a high risk to your rights and freedoms.