Parexel’s Notice of Certification Under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and United Kingdom (UK) Extension to the EU-U.S. DPF
Effective as of October 2023
Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension to the EU-U.S. DPF Policy sets forth the privacy principles that Parexel follows in connection with the transfer of personal information from European Economic Area (EEA)** and United Kingdom (UK) including Gibraltar. Parexel values the confidence of its customers and respects individual privacy, including personal information of business partners / customers, investors, patients, clinical research participants, Investigators and Health Care Professionals, and clinical research site staff.
Scope: Parexel International Corporation and those controlled U.S. Subsidiaries listed on the certificate (Parexel) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Parexel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Advisory: Parexel may continue to rely on alternative data transfer mechanisms deemed appropriate by the relevant authorities to transfer data collected from the EEA and UK to the U.S., such as EU Standard Contractual Clauses. When Parexel is acting as an agent/data processor, Parexel will follow the instructions of the data controller on the mechanism relied upon for data transfers.
Data processed: Parexel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF regarding the collection, use, and retention of directly or indirectly identifiable personal information transferred from the EEA and/or UK to the U.S. pertaining to:
- Healthcare Professional / clinical investigator and clinical research site staff
- potential and active clinical research participants and patients
- business partners / customers
- vendors / suppliers
- External learners applying to Parexel Academy training courses and external learners enrolled in Parexel Academy training course
HR Data: Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension to the EU-U.S. DPF certification does not apply to the transfer of human resource data.
Purposes of data processing: Parexel collects, uses and retains personal information:
- as agent / data processor for the purpose to host it on behalf of business partners / customers and/or to provide clinical research services, clinical research management, consulting services, clinical research support activities, and statistical analysis of clinical studies on pharmaceutical products and/or regulatory affairs services and/or pharmacovigilance services to business partners / customers based on agreements executed between business partners / customers and Parexel;
- and as data controller for the purpose of recruiting Early Phase Clinical Unit (EPCU) volunteers, and for Healthcare Professionals and customer relationship management, customer service, social engagement, community building and data analytics purposes.
- Parexel Academy, as a data controller, to fulfill the contract with external learners
Parexel’s role as a Clinical Research Organization (CRO) is that of an agent / data processor, and will be Parexel’s main role when transferring personal data from the EEA and the UK to the U.S.
Third parties who may receive personal information: Parexel’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF and subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles. In particular, Parexel remains responsible and liable under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles if third party agents that it engages to process the personal information on its behalf does so in a manner inconsistent with EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, unless Parexel proves that it is not responsible for the event giving rise to the damage.
Compelled disclosure: Parexel may be required to disclose personal information received from the EEA in reliance on the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF in response to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements.
Your rights to access, to limit use, and to limit disclosure: Inhabitants of the EEA and UK have rights to access personal information about them, and to limit use and disclosure of their personal information. Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF certification shows Parexel’s commitment to respect those rights. Parexel personnel have limited ability to access personal data, because research site staff and Investigators or our business partners / customers retain the key to the key-coded data. If you believe Parexel has your data and wish to request access, to limit use, or to limit disclosure, please provide the name of the research site staff and Investigators or Parexel business partner / customer who submitted your personal information to our services. Parexel will refer your request to that research site staff and Investigators or business partner / customer and will support them as needed in responding to your request.
Inquiries and complaints: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Parexel commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EEA and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact Parexel at: Parexel International Corporation, 2520 Meridian Parkway, Durham, NC 27713, USA or privacy@parexel.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Parexel commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF.
U.S. Federal Trade Commission enforcement: The Federal Trade Commission has jurisdiction over Parexel’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
** EEA consists of the 27 EU member countries plus Iceland, Liechtenstein and Norway