EU-U.S., UK Extension & Swiss-U.S Data Privacy Framework
NAMSA is a Contract Research Organization (CRO) that accelerates product development through regulatory consulting, laboratory testing, and clinical research. NAMSA is committed to individual privacy and reveres the confidence of its customers, clinical trial participants, business partners, Associates (employees), and others. We strive to collect, use, and disclose personal information in a manner consistent with the laws of the countries in which we do business, while upholding the highest ethical standards in our business practices.
The EU – U.S. Data Privacy Framework, UK extension to the EU – U.S. Data Privacy Framework, and Swiss – U.S. Data Privacy Framework (the “Frameworks”) set forth the privacy principles NAMSA follows in regard to transfer of personal information from the European Economic Area (EEA) (which includes the twenty-seven member states of the European Union [EU] plus Iceland, Liechtenstein and Norway), the United Kingdom, and Switzerland, respectively, to the United States (U.S.).
NAMSA complies with the EU – U.S. Data Privacy Framework, UK extension to the EU – U.S. Data Privacy Framework, and Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on the Data Privacy Framework. NAMSA has certified to the Department of Commerce that it adheres to the Data Privacy Framework principles. If there is any conflict between the NAMSA privacy statement and the Data Privacy Framework principles, the Data Privacy Framework principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
EU – U.S. Data Privacy Framework
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions to enable U.S. companies to satisfy the requirement, under European Union law, that adequate protection be given to personal information transferred from the EEA to the United States (the “EU – U.S. Data Privacy Framework”). On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that, for the purpose of Article 45 of Regulation (EU) 2016/679 (“EU GDPR”), the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework.
The EU – U.S. Data Privacy Framework is publicly displayed at www.namsa.com. For more information about EU – U.S. Data Privacy Framework principles and to view NAMSA’s certification, visit the U.S. Department of Commerce’s website at https://www.dataprivacyframework.gov/.
In compliance with the Data Privacy Framework principles, NAMSA commits to resolve complaints about our collection or use of your personal information. EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact NAMSA at:
NAMSA World Headquarters
6750 Wales Road
Northwood, OH USA 43619
866.666.9455 (toll free)
419.666.9455 (outside of USA)
NAMSA has further committed to refer unresolved Data Privacy Framework complaints to TRUSTe, an alternative dispute resolution provider located in the United States.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request/.
Further, NAMSA commits to cooperate with EU, UK, and EEA data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, UK and Switzerland in the context of the employment relationship. The possibility exists, under certain conditions, for the individual to invoke binding arbitration as indicated by Annex I of the EU – U.S. Data Privacy Framework. NAMSA is subject to the investigatory and enforcing powers from the Federal Trade Commission (FTC).
This Framework applies to all personal information received by NAMSA in the United States from the EEA, in any format, including electronic, paper, or verbal.
For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that collects or uses personal information under the instructions of, and solely for, NAMSA or to which NAMSA discloses personal information for use on NAMSA’s behalf.
“Sponsor” means any individual, corporation, or other entity which contracts NAMSA to perform services involving the transfer, processing, or reporting of personal information on behalf of and under the instructions of said “Sponsor.”
“NAMSA” means NAMSA, its predecessors, successors, subsidiaries, divisions, and groups in the United States and globally.
“Associate” means an individual employed by NAMSA, or an affiliate located in one of the EU member countries or the United Kingdom.
“Subcontractor” means any individual, corporation, or other entity under written contract with NAMSA to assist in fulfilling the responsibilities assigned by the Sponsor or to meet business needs.
“Personal information” means any information or set of information that identifies or could be used by or on behalf of NAMSA to identify an individual. This includes but is not limited to information that: pertains to a specific individual, can be uniquely linked to that individual (e.g., by name, social security number, driver’s license), originated in an EU Member State, the United Kingdom, or Switzerland, and is provided in any form. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.
“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities, that concerns health or sex life, information about social security benefits, or information on criminal or administrative proceedings and sanctions other than in the context of pending proceedings. In addition, NAMSA will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.
NAMSA is committed to respecting the privacy of individuals. NAMSA has internal procedures to repeatedly review and monitor the use of personal information and to ensure it is used responsibly and that we comply with internationally recognized standards of privacy protection. Internationally recognized standards require that the processing of personal data, both automated and manual, meet the data protection principles as described in this EU-U.S. Data Privacy Framework, UK extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework.
NOTICE: Where NAMSA collects personal information directly from study subjects, study investigators, Associates, or other sources in the EU, United Kingdom, and Switzerland, they will be informed regarding the purpose and use of the personal information, the types of non-agent third parties to which NAMSA discloses that information and the choices, if any, that NAMSA offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter and before NAMSA uses the information for a purpose other than for which it was originally collected. Notice may be given in person, by email, post, telephone, or by posting on the NAMSA intranet or website.
CHOICE: NAMSA will offer individuals the opportunity to choose (opt out) if their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. Affirmative or explicit (opt in) choice must be given if sensitive information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized by the individual.
TRANSFER TO AGENTS: NAMSA may share personal information with its subcontractors or other agents of the Sponsor as required to successfully complete Sponsor activities or to meet business needs. NAMSA may, for example, provide personal information to vendors hosting databases, to core laboratories participating in the research project, or to study subjects that request copies of the personal information collected by the Sponsor. NAMSA will obtain guarantees from its subcontractors that they will protect personal information consistently with this EU – U.S. Data Privacy Framework, UK extension to the EU-U.S. Data Privacy Framework, and Swiss – U.S. Data Privacy Framework. NAMSA may assume potential liability for onward transfers to third parties. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating or agreement with the third party to provide at least the same level of protection as is required by the relevant EU – U.S. Data Privacy Framework, UK extension to the EU-U.S. Data Privacy Framework, and Swiss – U.S. Data Privacy Framework principles, being subject to the EU General Data Protection Regulation, EU – U.S. Data Privacy Framework certification, UK extension to the EU-U.S. Data Privacy Framework certification, and Swiss – U.S. Data Privacy Framework certification by the third party, or being subject to another European Commission adequacy finding.
NAMSA will take reasonable steps to prevent or stop the use or disclosure if NAMSA has knowledge that third party is using or disclosing personal information in a manner contrary to this Policy.
ACCESS AND CORRECTION: Upon request, NAMSA may grant reasonable access to personal information it holds about individuals. NAMSA will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated. Those rights may be honored by NAMSA following proper authentication and verification.
SECURITY: NAMSA maintains a high level of data security and has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure personal information. Computer equipment, networks, programs, data, and documentation are maintained to high standards, and precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and/or destruction are in place.
DATA INTEGRITY: NAMSA will use personal information in ways that are compatible with the purpose for which it was collected or authorized by the individual. NAMSA will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
NAMSA World Headquarters
6750 Wales Road
Northwood, OH USA 43619
419.666.9455 (outside of U.S.)
NAMSA will provide an annual self-certification letter to ensure appearance on the list of EU – U.S. Data Privacy Framework, UK extension to the EU-U.S. Data Privacy Framework, and Swiss – U.S. Data Privacy Framework participants.
TRAINING: NAMSA has provided its Associates with appropriate training to ensure that all individuals who process personal information are fully aware of their responsibility with respect to data protection.
LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by NAMSA to these EU – U.S. Data Privacy Framework, UK extension to the EU-U.S. Data Privacy Framework, and Swiss – U.S. Data Privacy Framework principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest, or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule, or regulation.
OTHER COVERED ENTITIES
This Data Privacy Framework Statement applies to NAMSA as well as its affiliates and subsidiaries, including Syntactx, American Preclinical Services (APS), Clinlogix, ÅKRN Scientific Consulting, Medanex Clinic, Perfectus Biomed Group, and CRI.
10 October 2023