Parexel Notice of Certification Under the EU-US and Swiss-U.S. Privacy Shield Frameworks
Effective as of September 9, 2020
On July 16, 2020, in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, the European Court of Justice (“ECJ”) invalidated the EU-US Privacy Shield framework, thereby eliminating the use of Privacy Shield for transfers of personal information from the EU to the US. Data transferred from the EU to the US pursuant to Privacy Shield prior to July 16, 2020, will continue to be protected and maintained by Parexel accordance with the Privacy Shield requirements in place prior to the abrogating judgment by the ECJ.
On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC), issued a position paper stating that Swiss-US Privacy Shield does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).
From July 16, 2020, forward, Parexel no longer transfers data from the EU to the US under the EU-US Privacy Shield. From September 9, 2020, forward, Parexel no longer transfers data from Switzerland to the US under the Swiss-US Privacy Shield.
Parexel continues to hold personal data in the United States that was transferred to the US from the EU and Switzerland under the EU-US Privacy Shield and the Swiss-US Privacy Shield. This data will be held and maintained in accordance with the terms of the EU-US Privacy Shield and Swiss-US Privacy Shield programs.
Data processed: Parexel complies with the Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from EU or Switzerland to the U.S. pertaining to:
- clinical research site staff such as Investigators and Health Care Professionals
- potential and active clinical research participants and patients (to the extent the transferred data sets are not key-coded as outlined under the Privacy Shield Supplemental Principle 14. Pharmaceutical and Medical Products, g. Key-coded Data) **
- human resources such as candidates (Please be advised that Parexel maintains an internal policy that addresses the compliance with the Privacy Shield Principles for employees)
- business partners / customers
- vendors / suppliers
Purposes of data processing: Parexel collects, uses and retains personal information:
- as agent / data processor for the purpose to host it on behalf of business partners / customers and/or to provide clinical research services, clinical research management, consulting services, clinical research support activities, and statistical analysis of clinical studies on pharmaceutical products and/or regulatory affairs services and/or pharmacovigilance services to business partners / customers based on agreements executed between business partners / customers and Parexel;
- as data controller for the purpose to recruit potential clinical research participants, Investigators and for customer relationship management, customer service, social engagement, community building and data analytics purposes;
- as data controller for the purpose to recruit personnel and for the purpose of administering and carrying out the employment or personnel relationship.
Third parties who may receive personal information: Parexel's accountability for personal information that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Parexel remains responsible and liable under the Privacy Shield Principles if third party agents that it engages to process the personal information on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless Parexel proves that it is not responsible for the event giving rise to the damage.
Compelled disclosure: Parexel may be required to disclose personal information received from the EU or Switzerland in reliance on the Privacy Shield in response to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements.
Your rights to access, to limit use, and to limit disclosure: Inhabitants of Switzerland have rights to access personal information about them, and to limit use and disclosure of their personal information. With our Privacy Shield certification, Parexel has committed to respect those rights. Because Parexel personnel have limited ability to access data research site staff and Investigators or our business partners / customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the research site staff and Investigators or Parexel business partner / customer who submitted your personal information to our services. We will refer your request to that research site staff and Investigators or business partner / customer, and will support them as needed in responding to your request.
Inquiries and complaints: In compliance with the Privacy Shield Principles, Parexel commits to resolve complaints about our collection or use of your personal information. Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Parexel's Americas Regional Privacy Officer by writing to us at: Parexel International Corporation, 8 Federal St., Billerica, MA 01821, USA or firstname.lastname@example.org.
PAREXEL has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means.
U.S. Federal Trade Commission enforcement: Parexel`s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
* The following subsidiaries are included in Parexel's Privacy Shield Certification:
- Parexel International LLC
- ExecuPharm International, LLC
- Parexel International Corporation
- ExecuPharm, Inc.
- ExecuPharm Payroll Company, Inc.
- EP Technical, Inc.
- Liquent LLC
- Perceptive Informatics, LP
- Health Advances LLC
- Parexel (IMC), Inc.
- The Medical Affairs Company LLC
- TMAC Direct, LLC
** Please be advised that in respect to the collection, use, and retention of Key-coded Data of clinical research participants and patients Parexel is committed to the confidentiality, integrity and availability of such personal information as well and is putting in place other mechanisms to ensure a compliant transfer of such personal information from EEA member countries to the U.S.