The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions to enable US companies to satisfy the requirement, under European Union law, that adequate protection be given to personal information transferred from the EEA to the United States (the “US-EU Safe Harbor”). The EEA has also recognized the US-EU Safe Harbor as providing adequate data protection (OJ L 45, 15.2.2001, p.47). The United States Department of Commerce and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland have agreed on a similar set of principles and frequently asked questions to enable US companies to satisfy the requirement under Swiss law that adequate protection be given to personal information transferred from Switzerland to the United States (the “US-Swiss Safe Harbor”). Consistent with its commitment to protect personal privacy, NAMSA adheres to the principles set forth in the US-EU Safe Harbor and the US-Swiss Safe Harbor (the “Safe Harbor Principles”).
NAMSA participates in the U.S. – E.U. Safe Harbor framework and the U.S. – Swiss Safe Harbor as set forth by the United States Department of Commerce. As part of our participation[TRUSTe1] in the Safe Harbor, we have agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework. If you have any complaints regarding our compliance with the Safe Harbor, you should first contact us (as provided below). If contacting us does not resolve your complaint, you may raise your complaint with TRUSTe by Internet here[TRUSTe2] , fax to 415-520-3420, or mail to TRUSTe Safe Harbor Compliance Dept., click for mailing address[TRUSTe3] . If you are faxing or mailing TRUSTe to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaint shared with the company. For information about TRUSTe or the operation of TRUSTe’s dispute resolution process, click here[TRUSTe4] or request this information from TRUSTe at any of the addresses listed above. The TRUSTe dispute resolution process shall be conducted in English.
This Policy applies to all personal information received by NAMSA in the United States from the EEA and from Switzerland, in any format, including electronic, paper or verbal.
For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that collects or uses personal information under the instructions of, and solely for, NAMSA or to which NAMSA discloses personal information for use on NAMSA’s behalf.
“Sponsor” means any individual, corporation, or other entity which contracts NAMSA to perform services involving the transfer, processing, or reporting of personal information on behalf of and under the instructions of said “Sponsor.”
“NAMSA” means NAMSA, its predecessors, successors, subsidiaries, divisions and groups in the United States and globally.
“Associate” means an individual employed by NAMSA, or an affiliate located in one of the EU member countries or Switzerland.
“Subcontractor” means any individual, corporation, or other entity under written contract with NAMSA to assist in fulfilling the responsibilities assigned by the Sponsor or to meet business needs.
“Personal information” means any information or set of information that identifies or could be used by or on behalf of NAMSA to identify an individual. This includes but is not limited to information that: pertains to a specific individual, can be uniquely linked to that individual (e.g., by name, social security number, driver’s license), originated in an EU Member State or Switzerland, and is provided in any form. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.
“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities, that concerns health or sex life, information about social security benefits, or information on criminal or administrative proceedings and sanctions other than in the context of pending proceedings. In addition, NAMSA will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.
NAMSA is committed to respecting the privacy of individuals. NAMSA has internal procedures to repeatedly review and monitor the use of personal information and to ensure it is used responsibly and that we comply with internationally recognized standards of privacy protection. Internationally recognized standards require that the processing of personal data, both automated and manual, meet the data protection principles as described in this Safe Harbor Policy.
NOTICE: Where NAMSA collects personal information directly from study subjects, study investigators, Associates, or other sources in the EU or Switzerland, they will be informed regarding the purpose and use of the personal information, the types of non-agent third parties to which NAMSA discloses that information and the choices, if any, that NAMSA offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter and before NAMSA uses the information for a purpose other than for which it was originally collected. Notice may be given in person, by email, post, telephone, or by posting on the NAMSA intranet or website.
CHOICE: NAMSA will offer individuals the opportunity to choose (opt out) if their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. Affirmative or explicit (opt in) choice must be given if sensitive information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized by the individual.
TRANSFER TO AGENTS: NAMSA may share personal information with its subcontractors or other agents of the Sponsor as required to successfully complete Sponsor activities or to meet business needs. NAMSA may, for example, provide personal information to vendors hosting databases, to core laboratories participating in the research project, or to study subjects that request copies of the personal information collected by the Sponsor. NAMSA will obtain guarantees from its subcontractors that they will protect personal information consistently with this Safe Harbor Policy. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating or agreement with the third party to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the third party, or being subject to another European Commission adequacy finding.
NAMSA will take reasonable steps to prevent or stop the use or disclosure if NAMSA has knowledge that third party is using or disclosing personal information in a manner contrary to this Policy.
ACCESS AND CORRECTION: Upon request, NAMSA will grant reasonable access to personal information it holds about individuals. NAMSA will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated.
SECURITY: NAMSA maintains a high level of data security and has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure personal information. Computer equipment, networks, programs, data and documentation are maintained to high standards, and precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and/or destruction are in place.
DATA INTEGRITY: NAMSA will use personal information in ways that are compatible with the purpose for which it was collected or authorized by the individual. NAMSA will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Steven Napier, Data Privacy Officer
NAMSA World Headquarters
6750 Wales Road
Northwood, OH USA 43619
866.666.9455 (toll free)
419.666.9455 (outside of USA)
NAMSA will provide an annual self-certification letter to ensure appearance on the list of Safe Harbor participants.
TRAINING: NAMSA has provided its Associates with appropriate training to ensure that all individuals who process personal information are fully aware of their responsibility with respect to data protection.
LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by NAMSA to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
This Safe Harbor Policy may be amended from time to time consistent with the requirements of the Safe Harbor Framework. We will post any revised policies on the NAMSA website.
DRAFT 24 April 2015