Processing and Protection of Personal Data

1. Objective

This document aims to implement Personal Data processing and protection legislation requirements and to protect the rights and freedoms of individuals when CluePoints processes their Personal Data.

This Document has been drawn up in compliance with the requirements established in the General Data Protection Regulation and other legislation regulating processing and protection of Personal Data.

2. Scope

This document applies to processing and protection of Personal Data at CluePoints. This Document is applicable to all Personal Data received or collected by CluePoints from customers, business partners, and other individuals, in any format, as part of CluePoints’ business operations.

Out of scope: HR Personal Data of CluePoints employees, which is covered by another Privacy Notice.

3. Definitions and abbreviations

3.1 Terms and Acronyms

  • Availability – Making sure that information is available when and where it is rightly needed.
  • Clinical Data – Defined in section 4.1
  • Confidentiality – Protection of information from unauthorized access.
  • Data Breach – Any event that has the potential to affect the confidentiality, integrity or availability of Personal Data held by CluePoints in any format.
  • Data Subject – Any person whose Personal Data is being collected, held or processed.
  • Integrity – Making sure that information is kept accurate and consistent unless authorized changes are made.
  • Marketing Data – Defined in section 4.1
  • Natural Person – Someone who can be identified, directly or indirectly.
  • Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Sensitive Personal Data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
  • User – any person who owns an account on CluePoints’ system.
  • Users Data – Defined in section 4.1

3.2 Abbreviations

  • CFO – Chief Financial Officer
  • QA – Quality Assurance

4. Protecting and Processing Personal Data

4.1  Data Processed

The collection, processing, storage and use of Personal Data is essential in the context of many of CluePoints’ business functions.

CluePoints may collect the following Personal Data:

  • Users Data

Data collected when a user interacts with our helpdesk service. When a user enters a request on our helpdesk service, the user is asked to provide following information: Full name, company name, Email address.

Data collected when a user requests product updates. When a user registers for product or service status updates, the user is asked to provide the following information: email address.

  • Marketing Data

Data collected from visitors of our corporate website, such as information provided by filling in forms on the website (First Name, Last Name, Company and Email Address) or information automatically collected from website visitor’s device or web browser when interacting with our website. When a website visitor visits our website we place cookies in its browser, which allows us, by using the IP address, to track which pages the visitor views on our website and when.

CluePoints processes the following Personal Data:

  • Clinical Data

Clinical data provided by CluePoints’ customers. These data may comprise Patient ID number, gender, age, date of birth, ethnical origin and patient health related data. These data are considered as pseudonymized sensitive Personal Data.

  • Users Data

Data required for user accounts creation on CluePoints web application. These data are provided by customer and comprise first name, last name and Email address.

4.2  Purpose of Data Processing

CluePoints uses Personal Data only in ways that are compatible with the purposes for which it was collected.

  • Users Data

We collect first name, last name and Email address of users on our web application, for the purpose of accounts creation only.

We require users to submit their name, e-mail address, the name of their organization, and the country in which they are based on our helpdesk service, so we may send the material the users have requested and to enable us to reply to users’ request.

We require users who request product or service updates to submit their email address so we may send the requested updates.

  • Marketing Data

We use the information website visitors give by filling in forms on our website to provide them with commercial and company news messages via email relating to CluePoints and its products and services.

We use the information we collect from website visitor’s device to track the pages that they read on our website for marketing purposes, in order to identify their key areas of interest to send them relevant communications.

  • Clinical Data

We use clinical data received from our customer to assess the efficacy and risks of certain drugs for evaluating the quality, accuracy, and integrity of clinical trial data.

Clinical Data and Users Data will be maintained for a period of time needed to fulfill legitimate and lawful business purposes in accordance with our records retention policies and applicable laws and regulations. Marketing Data will be maintained for an undefined period of time in accordance with applicable laws and regulations. Data subjects may exercise their rights defined in section 4.7 at any time.

4.3 Lawfulness and fairness

4.3.1 Processing of Personal Data

We only collect data for specified, explicit and legitimate purposes and will only process data on lawful and fair grounds.

We rely on following legal aspects to collect and process Personal Data:

  • Clinical Data

The data subject has given consent: CluePoints processes clinical data as Processor and is therefore not responsible to demonstrate that the data subject has consented to processing of his or her Personal Data. It is the responsibility of CluePoints’ customer to obtain consent from the data subjects.

  • Users Data

To perform a contract to which the data subject is a party: we require user Personal Data to create an account on our web application or to allow our helpdesk to answer to user.

For legitimate business purposes: we require user Personal Data to provide product and service status updates when requested by a user.

  • Marketing Data

For legitimate business purposes: information collected through website visitors’ use of our corporate website is useful for us to better understand their needs and how we can improve our products and services.

We will only process the data for a purpose compatible with the purpose for which the Personal Data are initially collected. In case the purpose of collecting, processing and using the Personal Data is changed from the original purpose, the new processing will be done in accordance with a lawful ground and we will provide the data subjects with information on that other purpose prior to that further processing.

4.3.2  Processing of Sensitive Personal Data

Sensitive data are limited to Clinical Data. The processing of sensitive data is performed in scope of CluePoints operations. Ethnical origin and clinical data concerning health are required for our operational activities. Processing of sensitive Personal Data is allowed pursuant to the lawful ground “consent from the data subject”. Clinical data are not collected directly by CluePoints. Clinical data are collected by CluePoints’ customers. It is the responsibility of CluePoints’ customer to obtain consent from the data subjects.

4.4  Data Protection

CluePoints takes the appropriate and necessary organizational and technical security measures to protect the data and privacy of data subjects from whom data have been collected, in order to prevent the loss, disclosure, unauthorized use, alteration or destruction of information we receive.

4.4.1  Pseudonymisation

The principle of pseudonymisation is applied for clinical data. CluePoints customers are informed that they cannot upload patient personally identifiable information such as name, social number or biometric data on the CluePoints web application. Patient identifiers are used and CluePoints does not own the key that link a patient identifier to a patient name.

4.4.2 Minimisation

We make sure that the principle of data minimisation is applied in all our activities.

  • All clinical data collected for the operational activities are relevant, adequate and necessary for evaluating the quality, accuracy, and integrity of clinical trial data.
  • Data collected for the creation of user on our web application is strictly limited to what is necessary.

4.4.3 Organizational measures

We have implemented organizational measures to ensure protection of Personal Data:

  • Logical access control and principle of least privileges and separation of duties: Personal Data are stored and processed on secured servers and only made accessible to authorized personnel.
  • Training: to ensure any CluePoints’ employee who has access to Personal Data is kept up to date on necessary skills and knowledge (i.e. technical, scientific, computer, quality, regulatory, others) required for his/her job and will only process Personal Data according to appropriate instructions.

All CluePoints employees must sign off a confidentiality agreement when joining the company.

We have implemented a Backup and Restore process to ensure that the integrity and availability of the data is preserved in case of accidental deletion, corruption of data or system failure. We have therefore the ability to restore access to Personal Data in the event of an incident.

4.4.4 Technical measures

We have set technical measures to ensure protection of Personal Data. Such measures may include, but are not limited to: network monitoring, the encryption of communications via SSL, encryption of information while it is in storage, firewalls, access controls, and similar security protocols.

4.5 Third parties sharing

We may transmit the information we collect from and about data subjects with other sub-contractors to provide specific services to clients such as hosting and helpdesk.

  • No information is disclosed to our hosting provider. Our hosting provider only maintain data in an encrypted state and does not have access to data.
  • Users’ name, e-mail address, name of their organization, and the country in which they are based are disclosed to our helpdesk service.

Where CluePoints engages another processor for carrying out specific processing activities, the same data protection obligations are imposed. This is ensured by contracts and assessments/audits. In case the new processor has access to Personal Data, the clients need to be informed and consulted about the intention to outsource the processes/services.

CluePoints has contracts in place with all sub-contractors to define the acceptable use policy and the service level agreement and to set forth the terms and conditions of any works or services performed by the sub-contractors.

In cases of onward transfers of data, received pursuant to the EU Standard Contractual Clauses (SCC) or other approved transfer mechanism, CluePoints is potentially liable.

In addition, we may disclose personal data as required by law or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

4.6 Transfer of Personal Data

In the normal course of performing our activities, Personal Data may be transmitted to our other affiliate located in the United States and certain subcontractors. Our affiliate and subcontractors are required to treat Personal Data in accordance with this Privacy Notice and our data protection policy.

CluePoints adheres to the European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union and the United Kingdom, and other international transfers of Personal Data.

CluePoints remains self-certified with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States. CluePoints has certified to the Department of Commerce that it adheres to the Privacy Shield Principles, however CluePoints is not currently relying on this framework as the mechanism for the transfer of Personal Data. To learn more about the Privacy Shield program, and to view our certification, please visit Federal Trade Commission has jurisdiction over CluePoints’ compliance with the Privacy Shield.

4.7 Data Subject Rights

We commit to allow any person for whom we possess Personal Data to access their Personal Data, to rectify their Personal Data and to limit use and disclosure of their Personal Data. We also commit to assist our customer to respond to a request for exercising data subject’s rights where feasible.

4.7.1 Right to Rectification, Erasure and Restriction of Processing

Data subjects for whom CluePoints owns Personal Data can at any time make a request for rectification. In the same way, data subjects can request at any time the restriction of the processing of their data or the erasure of their Personal Data. In case Personal Data are rectified, modified or in case processing of Personal Data is restricted, CluePoints will make sure to communicate the information to each recipient to whom Personal Data have been disclosed.

To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice. We will respond to such requests within a reasonable timeframe.

In some circumstances, a request for data rectification, erasure or restriction of processing may be rejected by CluePoints. In case of the latter, the reason of rejection will be communicated to the concerned data subject.

4.7.2 Right to Access

Data subjects for whom CluePoints owns Personal Data can request at any time access to their Personal Data. In case of a Personal Data request, CluePoints commits to transmit Personal Data in structured, commonly used and machine-readable formats. A secured method must be used while transmitting data.

To record a Personal Data rectification or erasure or the restriction of processing, data subject can contact us as indicated in the “Contact Detail” section of this Privacy Notice. We will respond to such requests within a reasonable timeframe.

4.8 Contact Detail

CluePoints commits to reply any question, handle any request or resolve any complaint about our collection or use of Personal Data. European Union individuals with inquiries or complaints regarding our Privacy Notice should first contact CluePoints at: [email protected].

4.9 Right to lodge a complaint

Any person has the right to lodge a complaint to the Data Protection Authorities if they believe that CluePoints has not complied with the requirements of the GDPR or Privacy Shield with regard to their Personal Data. CluePoints commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel.

To lodge a complaint data subjects can contact their country-specific data protection authority or CluePoints’ lead data protection supervisory authority:

Data Protection Authority (Autorité de protection des données) 
Rue de la Presse 35
1000 Bruxelles
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
e-mail: [email protected]

Under certain circumstances, a data subject may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.

4.10 Changes to Privacy Notice

We may change this Privacy Notice. Any changes to this Privacy Notice will become effective when we post the revised Privacy Notice on the website. This Privacy Notice has been last updated and becomes effective as of September 21, 2020.