Velocity Privacy Policy

Document Title Velocity Privacy Policy
Document # POL GEN-007
Revision # 00
Effective Date 15 Apr 2024

1. Introduction

Velocity Clinical Research Inc. ("we" or "our", “Velocity”) collects, stores, and processes Personal Data about individuals such as employees, suppliers, patients, and other third parties (“Data Subjects”) for a variety of purposes.

This policy outlines how we seek to protect such Personal Data. It helps ensure that we understand the principles governing the use of Personal Data. It also describes how we collect, handle and store Personal Data to meet our own data protection standards, and to comply with the EU General Data Protection Regulation 2016/679 (the "GDPR") and other related regulations and delegated national legislation (together "Data Protection Law").

Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

a. Scope

This policy applies to all Employees who handle the Personal Data of individuals for business purposes both inside and outside of Velocity.

b. Objective

Our objective is to protect the data subjects by obtaining, collecting, handling, and processing their Personal Data in accordance with applicable data protection law.

c. Consequences of breaching this policy

We take compliance with this policy and our obligations under Data Protection Law very seriously. A failure to do so may put our employees, others and Velocity as a whole at risk of non-compliance. Any breach of this policy may result in disciplinary action being taken, up to and including dismissal.

d. Related policies and procedures

This policy supplements our other related policies and procedures (which may be implemented or amended from time to time). They can be found stored within MasterControl, Velocity’s Quality Management System (QMS) document repository.

e. What is data protection and why is it important

All individuals have rights pertaining to the way in which their Personal Data are processed. The term "Data Protection" in this policy refers to the processing of Personal Data in such a manner as to provide and protect the corresponding rights to privacy which Data Subjects have and their legal protection surrounding Personal Data (according to applicable data protection law).

f. What are Personal Data

Personal Data means any data (or a combination of data) from which a living individual can be identified directly or indirectly. Personal Data can be factual, or it can be an opinion about an individual, their actions, and behavior.

Within Personal Data there is a sub-category: Special Categories of Personal Data. These are information related to a person's race or ethnicity, political opinions, religious, spiritual or philosophical beliefs, trade union membership, physical or mental health, sexual life, biometric data for the purpose of uniquely identifying a natural person, genetic data and data concerning a natural person's sex life or sexual orientation (according to data protection law, e.g. Art. 9 GDPR). There are even stricter conditions for processing Special Categories of Personal Data.

2. Data protection principles

There are several principles under data protection law which must be satisfied while processing Personal Data. In the following section you will find a description of how we aim to achieve compliance with these principles:

  • Accountability: We are responsible for ensuring and must be able to demonstrate that the key principles and rules of Data Protection Law are met.
  • Lawfulness, Fairness and Transparency: Personal Data may only be processed lawfully, fairly and in a transparent manner. This means we must inform Data Subjects on how and why we process their data (transparency) that the processing must match the description given to the Data Subjects (fairness) and that the processing uses one of the legal bases set forth in data protection law (lawfulness).
  • Purpose Limitation: We must specify exactly what the Personal Data we collect will be used for (prior to collecting them) and limit the processing of that Personal Data to only what is necessary to meet the specified purpose.
  • Data Minimization: The Personal Data we collect shall be adequate, relevant and limited only to what is necessary for the purposes for which they are processed.
  • Accuracy: We have processes in place to ensure that Personal Data is accurate and kept up to date.
  • Storage Limitation: Personal Data shall be kept in such a way which enables us to identify the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
  • Security/Integrity and Confidentiality: We use appropriate technical and organizational measures to protect the integrity and confidentiality of Personal Data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

a. Accountability

Monitoring

There are significant implications for Personal Data Breaches or non-compliance with our legal responsibilities under data protection law. It is our responsibility to process all Personal Data in accordance with our legal obligations and the principles of Data Protection.

If we do not meet the accountability requirements of data protection law, there is not only a risk of non-compliance, but also a significant risk to our reputation.

We assess compliance with this policy in two regards:

  1. Compliance in relation to the protection of Personal Data in general
  2. The effectiveness of Data Protection measures related to our operational practices

We do reviews on a regular basis and follow the rules of the PDAC Cycle (Plan-Do-Act-Check) for the control and continuous improvement of our processes. This is to establish that an adequate level of compliance is being achieved.

Personal data breach reporting

It is our responsibility to report a personal data breach to the appropriate supervisory authority within 72 hours, if required by law (this is counted from the time we became aware of the incident).

When it is suspected that a Personal Data Breach has taken place for which we are responsible (as Controllers) it must be investigated internally by the Data Protection Officer (DPO) and the incident response team. If the incident results in a risk for Data Subjects, it must be reported to the applicable supervisory authority within 72 hours of becoming aware of the incident.

Training

All Employees must complete Data Protection training relevant to their position.

The Human Resources team is responsible for ensuring that new employees are trained as part of onboarding, and all employees are retrained annually on Data Protection or whenever there is a substantial change in the law or our policy and procedure, whichever is more frequent.  Velocity Quality is responsible for maintaining training records and storing the most up-to-date training materials and documents.

Responsibility

Each Employee who handles Personal Data has a responsibility to handle and process the Personal Data in line with this policy and applicable data protection law.

There are positions in Velocity with specific areas of responsibility:

  • Company Leadership is ultimately responsible for ensuring that we meet our legal obligations.
  • The Velocity Privacy Officer has overall responsibility for ensuring compliance with Data Protection Law.
  • The Privacy Team has overall responsibility for the day-to-day implementation of this policy and for:
    • Reviewing all Data Protection procedures and policies on a regular basis
    • Arranging Data Protection training and advice for all staff members and those included in this policy
    • Responding to Data Subjects who wish to know which Personal Data are being held on them by us
    • Checking and approving with third parties that handle our Personal Data and contracts or agreements regarding Processing
    • Maintaining a Record of Processing Activities incl. regular reviews and approvals
  • The Head of Information Technology is responsible for:
    • Ensuring that all systems, services and equipment used for storing data meet acceptable security standards
    • Performing regular checks and scans to ensure security hardware and software is functioning properly
    • Evaluating any third-party services Velocity is considering using to retain or process Personal Data
Overview over processing activities

Data protection law stipulates broad requirements regarding the documentation and proof of compliance with Data Protection obligations. A key element in this regard is the overview over processing activities as set forth in data protection law. We demonstrate data protection compliance through documentation in the Foxondo application[1].

“Privacy by design”

We seek to structure internal processes to have Data Protection principles embedded into every stage of processing activities. “Privacy by design” means that, both before and during any processing activity we carry out, we must implement appropriate technical and organizational measures to integrate safeguards into the processing. This is important to protect Data Subjects and meet the requirements of data protection law.

We always aim to implement appropriate technical and organizational measures both at the time of determination of the means for processing and at the time of the processing itself to ensure the principle of Data Minimization is met.

To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, a pre–Data Protection Impact Assessment (DPIA) check must be completed before starting a project (a preliminary, shorter Data Protection Impact Assessment). Depending on the outcome, a full DPIA might be legally required.

b. Lawfulness, fairness and transparency

We are responsible for understanding the context in which the Personal Data processing occurs as part of our day-to-day operations. We want to ensure that this is done fairly and in line with the law, and that we can clearly describe this to Data Subjects. We will always process Personal Data lawfully, fairly, and transparently in accordance with the Data Subject's rights.

Our third-party suppliers/contractors that process Personal Data on our behalf also have obligations of data protection. As such, we are legally required to:

  • only engage the services of third-party suppliers/contractors who can demonstrate compliance with data privacy law, e.g. GDPR;
  • put in place prescribed contractual arrangements with third party suppliers/contractors which meet the requirements of data privacy law, e.g. GDPR; and
  • demonstrate to the data protection authorities that we have complied with these legal obligations.
Personal data collection and notification

We may only collect Personal Data where it is necessary for lawful purposes or explicitly allowed. We will only collect Personal Data from Data Subjects if one of the following statements applies:

  • We are required to do so by an obligation imposed on us by law, e.g. EU or applicable local law.
  • The processing is necessary to do so for business purposes and for our organization to enter into or perform its contractual obligations with Data Subjects.
  • The processing is in our (reasonable) legitimate interests and the data subjects do not have more important conflicting interests.
  • The individuals consented. This consent needs to be freely given and to be gathered according to applicable data protection law, e.g. Art. 7 GDPR.
  • The data processing is in the vital interest of the data subject or another person.

When we collect personal data, we provide Data Subjects with information regarding the processing of their personal data free of charge in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes information on third parties to which their personal data is disclosed to and the purpose for which this happens.

As far as Personal Data will be transferred from GDPR territory to the USA within the Velocity Group, this will include information that

  • Velocity is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC);
  • Velocity is obliged to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles;
  • Velocity is required to disclose personal information in response to lawful by public authorities, including to meet international security or law enforcement requirements;
  • Velocity is liable in cases of onward transfers to third parties;

 

c. Purpose limitation: Processing for limited purposes

Personal Data collected for one purpose may not usually be used for a different purpose. We aim to only process Personal Data for purposes specifically permitted under data protection law. We inform the Data Subjects of those purposes.

d. Data minimization: Adequate, relevant, and non-excessive processing

Every processing should only use as much Personal Data as is required to successfully accomplish a particular purpose. We will always seek to collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject, and do not collect Personal Data which we do not need.

e. Accuracy: Ensuring that personal data is accurate

We aim to ensure that our systems and processes for identifying inaccurate information are robust and to act quickly to update or erase any inaccurate Personal Data. We endeavor to ensure that the Personal Data we hold is accurate and kept up to date. The Data Subjects may ask that we correct inaccurate Personal Data relating to them.

f. Storage limitation: Timely processing and data retention

We aim to not keep the Personal Data of Data Subjects for any longer than is necessary in accordance with applicable law. We take all required steps to destroy or erase all Personal Data from our systems (electronic/paper-based) which is no longer required.

All employees must ensure that they are familiar with the deletion concept/retention policy.

g. Security/integrity and confidentiality: Security of personal data

We should always make sure that all Personal Data held by us are subject to a level of security that is appropriate for the potential risk. We take appropriate security measures against unlawful and unauthorized processing of Personal Data, and against the accidental loss of, or damage to, Personal Data in line with our Information Security policy. Security procedures include (but are not limited to):

  • Entry controls – Visitors cannot access facilities without assistance from employees and are not permitted in locations where personal data are stored unless escorted.
  • Secure lockable desks and cupboards – desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Access controls – Data stored on a computer is protected by strong passwords and identification technologies.
  • Retention location controls – Data is never saved directly to mobile devices such as laptops, tablets, or smartphones (but to centralized servers).
  • Methods of disposal – paper documents are disposed of in locked boxes and shredded by a licensed and bonded shredding service. Digital storage devices are wiped using a full data overwrite or physically destroyed when they are no longer required.
  • Equipment – data users ensure that individual monitors do not show confidential information to passers-by and that they log off from or lock their PC when it is left unattended.

3. Rights of the data subject

We must deal with any requests from Data Subjects exercising their rights without undue delay, and within one month of receipt. It may only take longer if exceptional circumstances are in place.

Data subjects have the following rights:

  • Right to information
  • Right to rectification (data correction)
  • Right to deletion
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not to be subject to a purely automated decision with negative effects

Data Subjects also have the right to lodge a complaint with the Data Protection supervisory authority about how we process their Personal Data.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

4. Data transfers

We sometimes transfer Personal Data to other entities. These entities can be subsidiary companies within our group but also other companies who process data on behalf of our company or provide the IT systems and services our users employ to process data.

Velocity will always ensure that these transfers are based on a legal basis. Where necessary for data transfers from the EU, Velocity will have in place Standard Contractual Clauses.

If we engage companies to process data on our behalf, we will cooperate only with processors who fulfil our requirements of providing appropriate technical and organizational measures which meet our standards and the requirements of data protection law. Before personal data is processed, data processing agreements will be in signed to bind the processor accordingly.

5. Velocity Privacy Officer and Data Protection Officer

The Velocity Privacy Officer helps facilitate our compliance with data protection law and acts as a point of contact for day-to-day issues and questions on data protection for both employees and the Data Protection Officer. The Velocity Privacy Officer has overall responsibility for managing the roll out of the various data protection law project work streams and the day-to-day implementation of this policy. These are her contact details:

          Velocity Privacy Officer: Brandi Lang - privacy@velocityclinical.com.

The Data Protection Coordinator is the main contact point for our Data Protection Officer, whose contact details are the following:

          Data Protection Officer: Alef Völkner and her team - tel. +49 22 66 - 90 15 920, DSB@fox-on.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at the above mentioned contact details.

The data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The data protection officer reports directly to the highest management level.

 

6. Revision History

Version Number Revision Date Revision Summary
00 NA Original

 

7. Glossary of Terms

Term Meaning
Employee(s)

 

All those employed or engaged in any capacity by Velocity. For the purposes of this policy, the word Employees extends to include the following categories: Board Members, Employees (full time, fixed term, part time and temporary), Contract workers, applicants and pensioners.
Controller

 

A Controller is a person or organization that determines the purposes for which, and the manner in which, any Personal Data are processed, establishing practices and implementing policies in line with applicable data protection law.
Data Protection

 

This term refers to the relationship between the processing of Personal Data, the associated expectations of privacy and the legal protection surrounding them.
Data Subject

 

The individual to whom Personal Data relates such as an employee, client, contact person with a business partner, etc.
Data Protection Authority

 

The Data Protection Commission is the supervisory authority/regulator responsible for enforcing Data Protection Law and upholding the data protection and privacy rights of Data Subjects in relation to the Processing of their Personal Data.
Personal Data

 

Personal Data means any information (or a combination of information) from which a living person can be directly or indirectly identified as well as information containing statements about a person (e.g., Name, salary information, marital status, sick leave dates)
Personal Data Breach This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Processing

 

Processing is any activity which involves the use of Personal Data. It includes i.e. obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on Personal Data including organizing, amending, retrieving, using, disclosing, erasing or destroying data. Processing also includes sharing or transferring Personal Data to third parties and accessing of Personal Data held by a Controller or Processor.
Processor A Processor is any organization or external person that processes Personal Data on behalf of and/or on instruction of a Controller.
Special Categories of Personal Data As defined in data protection law, e.g. Art. 9 GDPR: Personal Data that are related to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or sexual life/orientation, biometric data for the purpose of uniquely identifying a natural person and/or genetic data.

 

Document Title Privacy Notice - HR -- Employee
Document # FORM GEN-001
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for Employees

This document informs you about the processing of your personal data by your employer, Velocity Clinical Research. Velocity Clinical Research is the Data Controller of your personal data.

Purposes of the data processing, personal data and legal basis

We process your personal data solely for employment (onboarding, throughout employment, and during termination) related to your role and function in our company and for our legitimate business interests. These include:

Purpose Personal data categories Legal basis
Personnel management (e.g. maintenance of employee files), onboarding, external communication Basic employee data (e.g. name, gender, nationality, private address and contact information, employee number and IDs, position, information on work equipment, contract data, social security number, work permits, insurance data)

 

Performance of (temporary or permanent) employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR)
Quality management and tracking of personnel actions Basic employee data, information on specific actions (e.g. participation in internal processes, actions taken in clinical studies, shift planning) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or or Art. 6 (1) (b) GDPR); legitimate interests of keeping high quality standards in the company (in the EU: Art. 6 (1) (f) GDPR)

 

Payments and accounting (including payroll accounting, payment of wages and salaries, financial accounting, tax withholdings, personnel cost planning and budgeting)

 

Basic employee data, payment data (e.g. salary and payments, loans and advances, bonuses, national insurance number, banking data, travel expense data) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR)
Pensions management

 

Name, contract data (e.g. on termination of employment, position), pension and social security data (e.g. salary, special payments, absences).

 

Fulfilment of legal duties (in the EU: Art. 6 (1) (c) GDPR).
Employee time management (including organization of absences, planning and recording of working hours and vacation time, parental leaves)

 

Basic employee data and time management data (e.g. working hours, holiday and other absences, parental leave, sick leave, family medical leave) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act)
Performance reviews, internal talent management Basic employee data and performance data (e.g. training data, performance reviews, metrics, roles, supervisor name) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act); internal talent acquisition is based on legitimate interests to keeping high quality standards in the workforce

 

Training and development Basic employee data and training data (e.g. training events, training history, skills assessment results) Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act)

 

Recording work incapacity Basic employee data and incapacity data (e.g. on work accidents, examinations, emergency contact information) Fulfilment of employment-related duties (e.g. in Germany: Sec. 26 (3) of the Federal Data Protection Act)

 

IT security and improvement Name, technical data (e.g. employee ID, laptop ID and configuration, laptop security alerts, login data) Legitimate interests in keeping the IT infrastructure secure (e.g. in the EU: Art. 6 (1) (f) GDPR)

 

Legal claims and disputes management Name, claims-related information (e.g. information on disciplinary actions, breaches, warnings) Legitimate interests (in the EU: Art. 6 (1) (f) GDPR, or in case of special categories of personal data: Art. 9 (2) (f) GDPR

In limited cases, we will rely on your consent, e.g. for publication of your photo or keeping lists on anniversaries and birthdays (in the EU: Art. 6 (1) (a) GDPR).

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU employee data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private.  

 

Source and categories of data

We process the data you provide us. We may also receive data about you from third parties:

  • Via the tax office: wage tax-relevant data (such as: marital status, child allowances)
  • Via your health insurance company (electronic certificate of incapacity for work, if applicable, information on children's sick pay or maternity protection)
  • Courts/creditors (in the case of garnishments or legal inquiries)

Retention periods

The data we collect about you will be deleted as soon as it is no longer required for the performance of the employment relationship, or the employment relationship has been terminated and there are no statutory retention periods to the contrary. Retention periods result from tax law, labour law and social security law regulations and generally extend up to 10 years.

Provision of data

You must provide us with the personal data that is necessary for us to be able to perform the contract with you and which we are legally obliged to collect. Without providing this mandatory information, we may not be able to enter into or maintain an employment relationship with you.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

If you have any questions about your rights and how to exercise them, please contact Human Resources or Velocity Clinical’s Privacy Officer at privacy@velocityclinical.com.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title Privacy Notice - Non HR - Data protection information for business partners or contact persons at our business partners
Document # FORM GEN-002
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for business partners or contact persons at our business partners

Purpose of the data processing

We process your personal data for the following purposes:

  • Establishment of professional contact and communication
  • Maintaining business relations and implementing contracts between us and your employer or client

Legal basis

We process your data for our legitimate interests as stated above (Art. 6 Para. 1 Letter f GDPR). These are the performance of the contract and the maintenance of the business relationship with you or your employer/client. Insofar as we process personal data beyond this, this is based on your consent (Art. 6 Para. 1 Letter a GDPR).

Categories and sources of personal data

We process the following information about you: Name, gender, title, professional contact data, professional position, employer, financial data, information on previous communication. If you have voluntarily provided us with additional data, we may also have stored this data. If you have not provided us with your data yourself, we have received it from your employer or another business partner.

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private. 

Source and categories of data

We process the data you provide us. We may also receive data about you from third parties:

  • Your employer when we are in business contact.

Retention periods

The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title Privacy Notice - Non HR -- Patients Recruitment Database
Document # FORM GEN-003
Revision # 00
Effective Date 15 Apr 2024

Privacy Notice for Patient Recruitment

Purpose of the data processing

We process your personal data for the following purposes:

  • building up and maintaining a database of potential participants for future studies
  • information of potential participants about studies that might be relevant for them

Legal basis

We process your personal data with your consent (Art. 6 para. 1 letter a GDPR) and to comply with legal and official requirements (Art. 6 para. 1 letter c GDPR).

Categories of personal data

We process the following data about you: Name, address, gender, contact data, date of birth, marital status, health data.

Recipients

We only transfer data to third parties if this is necessary or if there is a legal basis.  Categories of third parties that may receive or be able to access your data include:

  • Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
  • Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
  • Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private. 

Retention periods

The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods.  We will only store your data for as long as you do not revoke your consent. As soon as you withdraw your consent, we will delete this data from our patient database.

Your rights as a data subject

As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right not to be subject to an automated decision, Art. 22 GDPR

If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany

Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com

1. Revision History

This data protection notice is updated from time to time. You will always find the latest version on our intranet.

Version Number Revision Date Revision Summary
00 15 APR 2024 Original
Document Title EU/UK Website Privacy Notice
Document # FORM GEN-011
Revision # 00
Effective Date 30 Aug 2024

Privacy Notice Velocity European Website

Privacy Notice
for users of the velocityclinicaltrials.eu website

Purpose of the data processing
Velocity Clinical Research is a global network of dedicated clinical research sites that recruit patients for phase 1-4 clinical trials on behalf of biopharmaceutical companies and contract research organisations. As part of the recruitment of patients, we encourage potential participants to visit our website to assess their eligibility based on study requirements.

Our website aims to alert you of upcoming clinical trials that fit your interests and needs.

Legal basis
We process your personal data with your consent (Artt. 6 para. 1 letter a, 9 para. 2 letter a GDPR), to provide you the services of this app (Art. 6 para. 1 letter b GDPR) and based on our legitimate interests (Art. 6 para. 1 letter f GDPR) to analyse web traffic behaviour and marketing.

Categories of personal data
We process the personal data you provide in the submission form, as well as provided to us via cookies that have been accepted by you. To provide our services this includes health data and data regarding race and ethnicity which is considered sensitive data under Art. 9 Abs. 1 GDPR.

Recipient
We may share your data with other recipients within the Velocity Clinical Research Group. Furthermore, we use service providers who provide or maintain our IT infrastructure (IT service/software, call centers, Cloud-service providers) and support us in delivering the services of this website. These service providers and/or their sub-contractors/parent companies can be located in Third Countries outside the EU/EEA. In these cases, all transfers are based on EU standard contractual clauses.

Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Programme, and to view our certification, please visit https://www.dataprivacyframework.gov/

WordPress
We utilize WordPress for website development, located at 60 29th Street #343, San Francisco, CA 94110. This data is not shared with third parties. A Data Processing Agreement (DPA) is in place, ensuring compliance with legal requirements.  For more details, visit: https://cookiedatabase.org/service/wordpress/

Complianz
We utilize Complianz for cookie consent management, located at Kalmarweg 14-5, 9723 JG Groningen, Netherlands, for cookie consent management on our web properties. Complianz accesses only your cookie compliance selections and IP address. A Data Processing Agreement (DPA) is in place, ensuring compliance with legal requirements.

For more information, visit: https://complianz.io/

Google Fonts
We utilise Google Fonts for display of webfonts, located at 1600 Amphitheatre Parkway in Mountain View, California, United States, to display fonts on our web properties. There is a Data Processing Agreement in place to make sure your data is processed according to all legal requirements.

For more information, visit: https://policies.google.com/privacy

YouTube

We utilise YouTube for display of videos, located at 901 Cherry Ave, San Bruno, CA 94066, United States, to display videos on our web properties. There is a Data Processing Agreement in place to make sure your data is processed according to all legal requirements.

For more information, visit: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/

Storage period
Personal data is stored for as long as necessary for the above-mentioned purposes.

Your rights as a data subject
As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:

  • Right to be informed, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR

As the processing is based on your consent, you have the right to revoke consent to processing of your data at any time with future effect. Please be aware that in this case we are no longer able to provide you, our services.

Insofar as the data processing is based on an assessment of the legitimate interests, you have the right to object to this processing of the data. There must be justified reasons for this, which result from your situation.

You also have the right to lodge a complaint with the data protection supervisory authority about the processing of your data.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with enquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.

Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.

Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Velocity shall remain liable under the principles if its agent processes such personal information in a manner inconsistent with the principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Provision of data
You must provide us with the personal information necessary for us to send survey communications and to evaluate the eligibility for the studies. We may not be able to offer you the application’s services without having this mandatory information.

Automated decision making and profiling
The data you provide us via this form is analysed automatically and creates/updates a profile. However, this is not associated with any decision-making that has legal effect or significantly affects you in a similar way, as any final determination of eligibility is left to the sole professional discretion of trained medical professionals licenced in the applicable jurisdiction.

Responsible party
Velocity Clinical Research Inc., 300 E. Main St., Suite 300, Durham, NC 27701, United States is responsible for this data processing.
Email: privacy@velocityclinical.com
Phone: 0800 032 1732