Clinical Trials Privacy Notice
Effective Date: July 25, 2022
Verici Dx (“Verici”, “we”, “us”, “our”) takes the protection of your personal information (“Personal Data”) very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice (this “Notice”) describes how we use your Personal Data when we conduct clinical trials (a “Trial” or the “Trials”) of our diagnostic tests.
Verici Dx, as Sponsor of the Trial listed below, is the “data controller” for your Personal Data. This Notice is meant to help you understand what information we collect when you agree to be part of one of our Trials, why we collect it, and your rights. We are required to give you this information in order to comply with the privacy law, including Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) and the GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and any regulations thereunder, and the UK Data Protection Act 2018 (the “UK GDPR”).
This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website (which is governed by this privacy notice: https://vericinew.wpengine.com/privacy-notice). This Notice also does not apply to Personal Data of our employees or medical staff on our Trials (which is governed by the privacy notice provided directly to the employees and site personnel).
Verici participates in Trials as a Sponsor. If you have consented to be a part of our Trials, we will use and protect your Personal Data as described below.
Verici’s Trials investigate whether our genomic tests can help predict risk of organ transplant rejection. Our current Trials focus on whether our tests can predict how a body’s immune system will react to a kidney transplant.
YOUR PRIVACY RIGHTS
Under certain circumstances, by applicable law, you may have the right to request:
• access to your Personal Data (commonly known as a “data subject access request”) and receive a copy of it;
• that we update or correct your Personal Data;
• erasure of your Personal Data;
• that we stop processing your Personal Data where we processing it relying on a legitimate interest;
• that we suspend the processing of your Personal Data when you have asked us to check its accuracy and in other cases;
• to export a copy of your Personal Data in a format that allow you to reuse your data.
• withdraw your consent at any time (if applicable);
• lodge a complaint with the data protection authority. If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.
To make these requests, please contact your study site or our Data Protection Officer (VeraSafe) at email@example.com. Additional contact details are available in the Section titled “Questions”, below.
PERSONAL DATA WE HOLD ABOUT YOU
In the context of this Notice, we collect your Personal Data only from the following two sources:
• you provide it to us when you participate in a Trial; or
• your doctors or healthcare providers provide it to us.
When conducting the Trials, Verici will have access to the following types of Personal Data:
If you are an organ transplant recipient, Verici will process the following information:
• Medical record and health information, including information related to tests and procedure done and blood, urine, or tissue samples taken in the Trial (as described more fully in the Informed Consent Form you signed. Please ask the study staff at your trial site for a copy if you would like to review this form).
If you are the living donor of an organ, Verici will process the following information as applicable:
• If you consented to provide a blood sample as part of the Trial, information related to the tests and procedures done as part of the Trial (as described more fully in the Informed Consent Form you signed. Please ask the study staff at your trial site for a copy if you would like to review this form).
• Race, age, and other health information you provided when you consented to the donation procedure (and not this Trial). This information was provided by you to the hospital that conducted the organ removal. We will never see your name, ID, or any other identifying piece of data in connection with this information, only certain characteristics (like your race or age) that many hospitals use in connection with predicting the probability of success or failure of a particular organ transplant.
HOW WE USE PERSONAL DATA
We use your Personal Data to:
• conduct our Trials;
• ensure that our Trials are conducted safely and in accordance with all applicable laws, regulations, and codes of conduct;
• conduct related scientific and medical research.
Please see the Informed Consent Form you signed for additional details about how the Trial in which you are involved will be conducted and how your Personal Data will be used during and after the Trial.
During, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on a legal basis of processing under the GDPR and/or UK GDPR, and will only process your sensitive Personal Data (like health and genetic data) when we are permitted to do so.
We will generally use and process your information on the basis of your explicit consent. However, where we are not relying on your consent, including in the UK, we may also process your data based on our legitimate interests or legal obligations (to process Personal Data), and for scientific research purposes or for reasons in the public interest (to process sensitive Personal Data) in conducting clinical trials and performing valuable scientific and medical research to improve the treatment of kidney transplant patients by better predicting the outcome of a particular transplant. If we process your Personal Data, including sensitive Personal Data, for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interests (to process Personal Data) and for scientific research purposes (to process sensitive Personal Data) in conducting additional research predicting transplant efficacy pursuant to Articles 6 and 9 of the GDPR and/or UK GDPR. Whenever we process your data we will require implementation of strong organizational and technical measures (including pseudonymization, described below, and strong encryption) both of ourselves and our service providers to minimize any risk of harm to you related to this processing.
You may exercise any of the Data Subject Rights described above by contacting your study site or any of the other parties described in the section titled “Questions”, below. If you elect to stop participation in the study, Verici may be unable to delete, modify, or stop processing data collected during your participation in the study up to the point you decided to withdraw. Information collected in connection with the study will remain part of the study after your participation has ended to guarantee the validity of the study and to comply with the laws and regulations governing clinical trials.
In all circumstances described below, the Personal Data shared will be pseudonymized or “key-coded”. This means we replace identifying information like your name and contact information with a code number. None of the third parties listed below will be able to identify you from the Personal Data shared with them.
The only parties who will have access to your name, ID number and other identifying information are the Trial doctors and hospital staff involved in conducting the Trial. In all jurisdictions other than Italy, they will act as our processors (service providers) solely for the purposes of collecting the data necessary for and administering this Trial, including conducting the pseudonymization of your data, and holding the key to such pseudonymization. They will act as independent controllers for all other interactions with you, and in all other data they collect from you. In Italy, the hospital site and staff are considered our joint-controllers.
Within the company:
Your personal data may be disclosed to our Clinical Trial Operations, Quality, Regulatory and administration departments for administrative and management purposes as described in this Privacy Notice, including to our Laboratory which will conduct some of the testing and analysis required to conduct the Trial.
We may share your Personal Data with the contracted research organization for Trial operations, with the laboratories involved in analysing the medical data involved in the Trial, with the Trial sites and Doctors as described above, and with cloud-based software providers, providers of medical software, hosting, data analytics, and other service providers who host the platforms used to facilitate the Trial.
We require that all of these service providers protect your Personal Data, including through the adoption of adequate security measures, and use the data solely to provide the services to us.
Regulatory or governmental agencies:
We may share your Personal Data with certain regulatory agencies who oversee the conduct of clinical trials, including the United States Food and Drug Administration (“FDA”), the European Medicines Agency (“EMA”) and the Medicines and Healthcare products Regulatory Agency (“MHRA”) as required to comply with certain reporting and regulatory obligations or in the context of future research.
Other third parties:
We may share your Personal Data with other third parties, for example in the context of the possible sale or restructuring of the business, or to relevant third parties such as auditors, lawyers or professional advisors, or our insurers.
We may also disclose your Personal Data to comply with a subpoena, bankruptcy proceedings, or similar legal process, or in response to lawful requests by public authorities, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of you or third parties, or the public at large.
Personal Data submitted in connection with your participation in the clinical trial will be transferred to Verici Dx, and may be transferred to Verici Dx’s other group entities, contracted research organization for clinical trial operations, cloud-based software providers, providers of medical software, hosting, data analytics, and other service providers or investigators all of whom are in the United States or the European Union (where some of the servers hosting the electronic data capture system are located). The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. If this transfer occurs, it will be for the same purposes as described in this Notice. We will only transfer your Personal Data to these countries where there are appropriate safeguards in place. Where required, these safeguards include the use of the European Commission-approved Standard Contractual Clauses or other mechanisms required by the local data protection authority. We will also take steps to ensure that your Personal Data receives an adequate level of security protection wherever it is processed.
We have put in place, and have required our service providers to put in place, appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include the use of measures like key-coding and encryption, where appropriate. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know are subject to confidentiality obligations.
We will only retain your Personal Data for as long as necessary for the purposes described above, including for future research purposes, or for long as required by applicable law. Trial data may be kept for 15 years, or for the maximum period required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable law.
If you have any questions about this Notice or our processing of your Personal Data, please contact firstname.lastname@example.org or our Data Protection Officer (DPO) at the contact information provided below. Our DPO will respond to you as soon as possible but no later than 4 weeks after you contact us.
Data Protection Officer:
We have appointed VeraSafe as our DPO. You may contact VeraSafe at email@example.com, or at any of the following addresses:
100 M Street S.E.
Washington, D.C. 2003
USA VeraSafe, LLC
Plaza de la Solidaridad 12, planta 5
+420 228 881 031
Spain VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL,
+44 (20) 4532 2003
European Union and United Kingdom Representative
We have appointed VeraSafe as our Representative in the European Union and the United Kingdom for data protection matters. While you may also contact us, please contact VeraSafe on matters relating to the processing of your Personal Data.
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
If you want to seek an independent recourse mechanism, you may contact your local Data Protection Authority (DPA). You can find a list of each European Union country’s DPA here: https://edpb.europa.eu/about-edpb/board/members_en. If you are based in the United Kingdom, your local DPA will be the UK Information Commissioner’s Office, which can be found here: https://ico.org.uk/.
CHANGES TO THIS PRIVACY NOTICE
We may update this Privacy Notice at any time, and we will either provide you with a new privacy notice or update the web page you read it on. We will also update the “Effective” date at the top of this Notice.