Instem LSS (North America) Limited
EU-U.S. and Swiss-U.S. Privacy Shield Policy

Effective as of March 1, 2019

Instem LSS (North America) Limited (“INSTEM”) complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework (collectively the “Frameworks”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (defined below) transferred from the European Union and Switzerland to the United States, respectively and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy shield policy (“Policy) and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

SCOPE

This Policy applies to information transferred from European Union member countries and Switzerland that INSTEM receives in the United States relating to identified or identifiable natural person residing in the European Union and Switzerland (including a legal entity residing in Switzerland) (“Data Subject”) that can be used to identify that individual either on its own or in combination with other readily available data, including name, job title, company affiliation and contact information (“Personal Data”). If the information has been irreversibly stripped of all identifiers such that an individual cannot be identified or re-identified, it is not Personal Data.

PRIVACY SHIELD PRINCIPLES

  1. Notice

INSTEM provides software products and other support services to businesses engaged in pre-clinical and clinical research / trials and collects business information from customers, vendors, and business partners. INSTEM stores and processes Personal Data on behalf of customers and those customers that use such software products may also process Personal Data at their discretion. Where INSTEM receives Personal Data from its affiliates or other entities, including when processing Personal Data under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the elections made by the Data Subjects (as defined below) to whom such Personal Data relates.

INSTEM employees (permanent or temporary), director, officer, contractor, worker, temporary worker, job applicant, former employees and any and all of their respective dependents (collectively “Personnel”) that have access in the U.S. to Personal Data from the European Union and Switzerland are required to comply with this Policy. Further information concerning how INSTEM collects, uses, shares and safeguards the Personal Data of Personnel is available to Personnel in INSTEM’s internal privacy policy.

INSTEM collects, uses and retains Personal Data as (1) as agent / data processor for the purpose of hosting as service provider, Personal Data on behalf of business partners / customers and/or to provide consulting service to business partners / customers based on agreements executed between business partners / customers and INSTEM; (2) as data controller for customer relationship management, customer service, social engagement, community building and data analytics purposes; and (3) as data controller for the purpose to recruit Personnel and for the purpose of administering and carrying out Personnel employment or human resources functions and activities.

INSTEM is responsible for the processing of Personal Data it receives, under the Frameworks, and subsequently transfers to a third party that uses Personal Data provided to it by INSTEM to perform tasks on behalf of and/or under the instructions of INSTEM or to which INSTEM discloses Personal Data for use on its behalf (“Agents”). INSTEM shares EEA and Swiss Data with our subsidiaries, affiliates and Agents, who process Personal Data on behalf of INSTEM. INSTEM also shares EEA and Swiss Data with other third parties for the purposes for which INSTEM receives the EEA and Swiss Data (e.g., performance of contractual obligations and rights), and INSTEM may also disclose EEA and Swiss Data where INSTEM is legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and INSTEM has a legitimate business interest in such disclosure.

  1. Choice

Data Subjects may choose whether their Personal Data is to be disclosed to a third party, or to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Data Subject. Requests to opt out of such uses or disclosures of Personal Data should be sent to: privacy@instem.com

INSTEM will not process Personal Data regarding an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life (“Sensitive Personal Data”) about Data Subjects for purposes other than those for which the information was originally obtained or subsequently authorized by the Data Subject unless the Data Subject explicitly consents to the processing, or as required or permitted, or where not prohibited by law or regulation.

INSTEM may be required to disclose Personal Data in response to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements.

  1. Accountability for Onward Transfer

The notice and choice provisions of this Policy cover transfers of Personal Data to third parties.

INSTEM will only provide Personal Data to third parties as permitted by the Privacy Shield Principles and relevant contracts with customers providing such Personal Data. INSTEM remains liable under the Privacy Shield Principles if any such third-party processes such Personal Data in a manner inconsistent with the Privacy Shield Principles, unless INSTEM can prove that it is not responsible for the event giving rise to the damage.

  1. Security

INSTEM will employ reasonable and appropriate technical, administrative and physical safeguards designed to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data INSTEM is processing.

  1. Data Integrity and Purpose Limitation

INSTEM endeavors to process and use Personal Data only in a way that is compatible with and relevant for the purpose for which it was provided to INSTEM. To the extent necessary for those purposes, INSTEM shall take reasonable steps to ensure that Personal Data in its possession is accurate, complete, current and reliable for its intended use. Where INSTEM processes Personal Data as a service provider under the direction of its customers, INSTEM works with such customers so that the customers can provide a way for Data Subjects to correct or update their Personal Data.

  1. Access

INSTEM will, on request, provide a Data Subject with confirmation regarding whether INSTEM is processing Personal Data about them. In addition, upon request of Data Subject whose Personal Data is covered by this Policy, INSTEM will take reasonable steps to correct, amend, or delete their Personal Data if it is inaccurate or has been processed in violation of the Privacy Shield Principles, except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, where the rights of persons other than the Data Subject would be violated, or where doing so is otherwise consistent with Privacy Shield Principles. When INSTEM acts in its capacity as a service provider and has no direct relationship with medical research subjects participating in a clinical trial and any such Data Subjects who seek access, or who seek to correct, amend, or delete their inaccurate Personal Data should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Data to INSTEM for processing.

  1. Recourse, Enforcement and Liability

INSTEM’s participation in the Frameworks is subject to investigation and enforcement by the Federal Trade Commission.

In compliance with the EU-US and Swiss-US Privacy Shield Principles, INSTEM commits to resolve complaints about our collection or use of Personal Data. European Union and/or Swiss individuals with inquiries or complaints regarding our Policy should first contact INSTEM at: privacy@instem.com

INSTEM commits to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the international division of the American Arbitration Association (ICDR/AAA). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint.

INSTEM commits to cooperate with EU Data Protection Authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner regarding employee privacy complaints related to HR Privacy Data and complies with the advice given by EU Data Protection Authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner with regard to human resources data transferred from the EU and/or Switzerland in the context of the employment relationship.

EU Persons may have the option to select binding arbitration under the Privacy Shield Panel for the resolution of your complaint under certain circumstances. For further information, please see the Privacy Shield website. To learn more about the Privacy Shield Framework at www.privacyshield.gov

CHANGES TO THE PRIVACY POLICY

This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Data is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.