This Privacy and Data Protection Policy establishes how BlueClinical handles the personal data of its employees, participants and/or potential participants in clinical studies, clients and/or potential clients, subjects who communicate safety information associated with the use of a medicinal product owned by a BlueClinical client, as well as any other interested parties in the scope of the performance of their activities.
2 RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
BlueClinical is responsible for processing the personal data of all interested parties in the scope of conducting its activities.
In case of a clinical study, BlueClinical may be delegated by the Sponsor of that clinical study, for the processing of the personal data collected during the study.
Within the scope of services provision activities, BlueClinical, as in the previous example, may be delegated by the marketing authorization holder for the processing of personal data collected during the use of the medicinal product.
3 COLLECTION OF PERSONAL DATA
Your personal data will be processed by BlueClinical in the following situations:
4 PURPOSE AND LEGAL BASIS FOR THE USE OF PERSONAL DATA
According to the General Regulation on Data Protection (GRPD), the use of personal data must be justified under at least one of the legal bases defined in the Regulation.
The personal data that we collect and process are essential so we can perform, in a proper way, the services we are offering. We do not collect information that is useless or unnecessary for the purposes for which it is intended. Also, we do not collect personal or professional information without obtaining the prior consent of the respective owner.
Your personal data are collected and used by BlueClinical for the following purposes: (i) compliance with obligations under the Law, (ii) execution of contracts, (iii) business relationship management, (iv) scientific research management, (v) evaluation of the interest of potential commercial relations, (vi) communication and marketing actions.
5 CATEGORIES OF PERSONAL DATA COLLECTED
The categories of personal data collected and processed by BlueClinical vary according to the purpose for which the data is intended.
BlueClinical has a “Personal Data Treatment Matrix”, which lists all categories of personal data that BlueClinical collects, by type of holder. The personal data holder has the right to know what data has been collected about her / him. At any time, the data holder may request a copy of the data matrix referring to the information collected about her / him, which should be made available through the email firstname.lastname@example.org.
In the scope of Clinical Research, your personal data include your health and medical information (medical records or exams results). The collection of these personal data is needed for the clinical study conduct. You will not be able to participate in the study if you do not give your consent to access and use such data.
6 PERSONAL DATA PROCESSING
The data provided regarding the relationship established with BlueClinical are processed in accordance with the applicable regulatory requirements, being namely:
7 COMMITMENT TO PROTECT YOUR PERSONAL DATA
We use a variety of security measures and authentication tools to protect and maintain security, as well as the integrity and availability of your personal data.
Although data transmission through the internet or our website can not guarantee complete security against intrusions from third parties, BlueClinical, its service providers and commercial partners, make the best efforts to implement and maintain the procedures, as well as the measures of physical and electronic security to safeguard your personal data.
We implemented, among others, the following measures:
8 RETENTION OF PERSONAL DATA
We retain your personal data only for as long as it is necessary for the purpose for which they were collected.
Once the maximum legal term of conservation has been reached, your personal data are anonymised or destroyed in a secure way.
9 SHARING OF PERSONAL DATA WITH THIRD PARTIES
BlueClinical only uses subcontractors that have adequate guarantees and safety standards, under the legally established terms. Subcontractors must comply with the documented instructions given to them by BlueClinical, must assume a confidentiality commitment or be subject to appropriate legal obligations of confidentiality and adopt security measures in the processing to comply with the GRPD.
10 AMENDMENT OR REMOVAL OF CONSENT
You may, at any time, change or withdraw your consent, with effect for the future.
To change or withdraw your statements of consent, you must send an e-mail requesting the change or withdrawal of consent to the following e-mail addresses:
The total withdrawal of your consent to the data processing implies that the responsible by data processing completely ceases, from that moment, any processing of personal data, including the collection of new data, consultation and analysis of data already collected or the conservation of data. Once the consent has been withdrawn, BlueClinical will have to ensure that your data is erased, unless there is another legal basis for the respective processing.
However, when consent to use personal information for a clinical study is withdrawn, the participant will no longer be able to continue in the study, the data that has already been disclosed or published for research purposes cannot be withdrawn, and your data collected until at the time of withdrawal of consent may continue to be processed in order to comply with legal and regulatory obligations.
When the consent to use personal information for further investigations is withdrawn, the data that has already been disclosed or published for investigation purposes cannot be withdrawn and these can continue to be handled in a manner that complies with legal and regulatory obligations, or for other scientific research purposes, if permitted by applicable law.
11 RIGHTS OF DATA PROTECTION
If you have any question or complaint regarding our use of your personal data, you can contact us through the email email@example.com (Data Protection Officer of BlueClinical).
Since we want to ensure that you are aware of your rights and under the applicable law, we want to inform you that:
12 PERSONAL DATA BREACH
In the event of a personal data breach, BlueClinical will notify the CNPD, without undue delay and, whenever possible, within 72 hours after becoming aware of the breach, unless the breach does not present a risk to the rights and freedoms of the holders.
In addition to notifying the CNPD, BlueClinical will also notify you of the personal data breach, without undue delay, when this breach entails a high risk to your rights and freedoms.