Privacy Policy
Effective 27 September 2024
1.0 Objective
This Allucent policy states the basic principles by which Allucent processes the Personal Data of clients, vendors, business partners, employees, contractors, sub-contractors, clinical trial investigators, site team members, clinical trial subjects and other individuals, and indicates the responsibilities of its business departments and employees while processing Personal Data.
2.0 Scope
This policy is applicable to all processing and transfers of Personal Data, whether in electronic, paper or verbal format, processed by Allucent. The provisions and the uses of this policy apply to all employees, contractors, subcontractors, agents and consultants working with, or on behalf of, Allucent.
3.0 Policy Statement
3.1. Introduction
Allucent, operating through all CATO SMS and Pharm-Olam affiliates (collectively “we”, “us”, “Allucent”, or the “Company”) conducts every business transaction (including without limitation, operations, negotiations and marketing) with integrity and complies with the laws and regulations of the United States, as well as the laws and regulations of each country in which Allucent operates or is looking to operate. All Allucent personnel are expected to maintain privacy in communication when conducting Allucent’s business.
At Allucent the foundation of our business is the provision of clinical trials management and related services for the pharmaceutical, medical device and bio-tech industry corresponding to human clinical research studies. Given the nature of our work, the protection of Personal Data is critical for us and our clients. For these reasons, Allucent has a comprehensive, global privacy program designed to respect and protect data privacy rights. Allucent intends that its corporate Privacy Policy and standard practices and procedures will ensure timely compliance with all applicable international laws and regulations, including but not limited to, the European Union’s General Data Protection Regulation 2016/679 (GDPR).
Allucent values the confidence of its clients and vendors and respects individual privacy, including Personal Data of employees, healthcare professionals, clinical trial subjects, clinical investigators, business partners, consultants, contractors, subcontractors and investors. Not only does Allucent collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.
Questions about this policy, or requests for further information, should be directed to Allucent’s Data Protection Officer at DPO@allucent.com.
3.2. Basic Principles Regarding Personal Data Processing
Allucent processes Personal Data in accordance with all applicable data protection/privacy principles, including but not limited to the GDPR principles which serve as the baseline on which our standards are set.
The GDPR principles are set forth below:
3.2.1. Lawfulness, Fairness and Transparency
Allucent processes Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject.
3.2.2. Purpose Limitation
Allucent collects Personal Data solely for specified, explicit and legitimate purposes.
3.2.3. Data Minimization
Allucent collects Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed and adheres to the principle of data minimization. With the increasing number of countries restricting or disallowing the use of clinical trial subjects’ initials as an identifier, Allucent will no longer collect clinical trial subjects’ initials, except where an Allucent client requires such and the client is compliant with the applicable national and regional laws. To the extent known to Allucent, Allucent will also make its clients aware of potential issues with submitting data from countries that do allow collections of patient identifiable data (eg. DOB, initials, etc) into territories that do not.
3.2.4. Accuracy
Allucent keeps Personal Data accurate and, where necessary, up to date and takes reasonable steps to ensure that inaccurate Personal Data, taking into account the purposes for which the inaccurate Personal Data was processed, are erased or rectified in a timely manner.
3.2.5. Storage Period Limitation
Allucent keeps Personal Data for no longer than is necessary for the purposes for which the Personal Data are processed.
3.2.6. Integrity and Confidentiality
Allucent uses appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access to, or disclosure.
3.3 . Building Data Protection in Business Activities
In order to demonstrate compliance with the prevailing data privacy principles, Allucent has built data protection into its business activities.
3.3.1. Privacy Notices to Data Subjects
When individuals are first asked to provide Personal Data to Allucent, or as soon as practicable thereafter, and in any event before Allucent uses or discloses the Personal Data for a purpose other than for which it was originally collected, Allucent properly informs Data Subjects of the following: the types of Personal Data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their Personal Data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect Personal Data. This information is provided through a Privacy Notice in clear and understandable language.
Since Allucent has multiple data processing activities, it has developed different Privacy Notices depending on the processing activity, the Data Subject and the categories of Personal
Data collected. Allucent’s Data Protection Officer (“DPO”) is responsible for creating and maintaining the Register of Privacy Notices. Where special categories of Personal Data are being collected, the Privacy Notice explicitly states the purpose for which this data is being collected.
Where Allucent, as a Processor, receives Personal Data from its subsidiaries, affiliates or other entities in the EU, Switzerland or any other country, it shall use such data in accordance with all applicable laws and regulations, including the GDPR. Where Allucent, as a Controller, receives Personal Data from third parties, it shall provide Data Subjects with an appropriate Privacy Notice within a reasonable period after obtaining the Personal Data, at the time of the first communication or first disclosure to another recipient.
3.3.2. Data Subject’s Choice and Consent
Whenever Personal Data processing is based on the Data Subject’s consent, Allucent retains a record of such consent. Allucent provides Data Subjects with options to provide the consent and informs and ensures that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time. When requests to correct, amend or destroy Personal Data records are received, Allucent ensures that these requests are tracked by the Allucent DPO and handled without undue delay and in any event within one month of receipt of the request.
Personal Data is only processed for the purpose for which it was originally collected. If Allucent wants to process collected Personal Data for another purpose, it will seek the documented consent of its Data Subjects in clear and concise language.
Allucent will obtain consent from all clients, employees, healthcare professionals, medical research subjects, clinical investigators, business partners, contractors, subcontractors, consultants and investors, where required, for processing, use and/or distribution of any personal and/or special categories of Personal Data prior to the processing, use or distribution of such data.
3.3.3. Use, Retention and Disposal
The purposes, methods, storage limitation and retention period of Personal Data are consistent with the information contained in the applicable Privacy Notice. Allucent maintains the accuracy, integrity, confidentiality and relevance of Personal Data based on the processing purpose as further defined in the applicable Privacy Notice. Adequate security mechanisms designed to protect Personal Data are used to prevent Personal Data from being stolen, misused, or abused and prevent Personal Data breaches.
3.3.4. Disclosure to Third Parties
Allucent may share an individual’s Personal Data with clients, clinical investigators, agents, contractors, sub-contractors, business partners or vendors of Allucent in connection with services that these individuals or entities perform for, or with, Allucent. Whenever Allucent uses a third-party vendor to process Personal Data on its behalf, Allucent ensures that this vendor can provide security measures to safeguard Personal Data that are appropriate to the associated risks. Allucent always remain liable in cases of onward transfers of Personal Data to third parties contracted by Allucent.
Where Allucent uses such third-party vendor, Allucent assesses the vendor during qualification and contractually requires the vendor to provide at least the same level of data protection as Allucent provides. The vendor must only process Personal Data to carry out its
contractual obligations towards Allucent or upon the instructions of Allucent and not for any other purposes. Allucent explicitly specifies the respective responsibilities of the third party in the relevant contract or any other legal binding document, such as a Data Processing Agreement.
Allucent may disclose Personal Data in response to lawful requests by public authorities, including to comply with national security or law enforcement requirements.
3.3.5. Cross-border Transfer of Personal Data
All transfers of Personal Data by Allucent comply with all applicable international laws and regulations, including, without limitation, the GDPR.
Transfers of Personal Data outside of the European Economic Area (“EEA”) shall always be made in accordance with the data protection principals prescribed by international law and regulations applicable in the relevant countries. When transferring Personal Data out of the EEA, adequate safeguards will be used, such as including standard contractual clauses issued by the European Commission in contracts with third parties, as well as internal intercompany agreements.
3.3.6 Subject Rights
3.3.7 Rights of Access by Data Subjects
When acting as a Controller, Allucent provides Data Subjects with a mechanism to enable them to access their Personal Data and allows them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism is further detailed in Allucent’s Data Subject Rights Request procedure, as well as in the Privacy Notices.
3.3.6.2. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to Allucent in a structured format and to transmit those data to another Controller, for free. Allucent’s DPO is responsible for ensuring that such requests are processed within required timelines, are not excessive and do not affect the rights to Personal Data of other individuals.
3.3.6.3. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of their Personal Data, if applicable. Allucent shall use all reasonable and proportionate efforts to erase data, where required. When the Company is acting as a Controller, Allucent, along with its DPO oversight, will take necessary actions to inform the third parties who use or process that data to comply with the request.
3.3.7. Data Protection Impact Assessments
Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of Data Subjects, Allucent shall, when acting as the Controller, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data (Data Protection Impact Assessment), according to Allucent’s Data Protection Impact Assessment procedure. Allucent shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk to the Data Subjects in the absence of measures taken by Allucent to mitigate the risk.
3.3.8. Use of Cookies
Allucent employs cookies on its websites. These are a small piece of data sent from the website and stored in the web browser of the visitor. Each time the visitor loads the website, the browser sends the cookie back to the server to notify the website of the visitor’s previous activity. This website’s performance cookie is not connected to personal information; it is used in aggregate with other website visitors’ data to generate statistical reports on how people are navigating and using the website. Allucent uses the reports to help us improve the website usage and performance. Visitors to allucentstage2.wpenginepowered.com may additionally receive cookies from third party sources, these sources can provide more about their privacy and cookie policies.
3.3.9. Response to Personal Data Breach Incidents
In the event that Allucent learns of a suspected or actual Personal Data Breach, the DPO will perform an internal investigation and take appropriate remedial measures in a timely manner, according to its Data Breach Response and Notification procedure. Where there is any risk to the rights and freedoms of Data Subjects, Allucent shall notify the relevant data protection authorities without undue delay and, when possible, within 72 hours. Where Allucent acts as Processor, it shall notify the Controller of the Personal Data Breach in a timely manner. The DPO will also escalate the Personal Data breach issue to other internal groups for consideration, for example, for assessment as potential serious breaches of GCP by Quality Assurance.
3.3.10. Organization, Accountability and Audit
The responsibility for ensuring appropriate Personal Data processing lies with everyone who works for or with Allucent and has access to Personal Data processed by Allucent.
The key areas of responsibilities for processing Personal Data lie with the following organizational roles:
Role | Responsibility |
---|---|
Chief Operation Officer & General Counsel | Makes decisions about, and approves, Allucent’s general strategies on Personal Data protection and ensures enforcement of this policy. |
DPO | Manages the Personal Data protection program and is responsible for the development and promotion of end-to-end Personal Data protection policies. Monitors and analyses Personal Data laws and changes to regulations, develops compliance requirements and assists business functions in achieving their Personal Data goals. Ensures Personal Data protection awareness training is provided to all employees and contractors as part of the induction process, and at regular intervals thereafter. Organizes additional training to individuals whose roles require regular access to Personal Data, or who are responsible for implementing this policy or responding to subject access requests under this policy, to help them understand their duties and how to comply with them. |
VP, Information Technology | Ensures all systems, services and equipment used for storing data meet required security standards. Performs regular checks and scans to ensure security hardware and software is functioning properly. |
Chief Revenue Officer; Chief Marketing Officer | Approves any data protection statements attached to communications, such as emails and letters. Addresses any data protection queries from journalists or media outlets like newspapers. Where necessary, works with the DPO to ensure marketing initiatives abide by data protection principles. |
Director and Manager, Global People & Culture; Global Head, Talent Acquisition | Improves all employees’ and contractors’ awareness of user Personal Data protection. Ensures end-to-end Personal Data protection for applicants and employees. Ensures that potential applicants and employees’ Personal Data is processed based on the employer’s legitimate business purposes and necessity. |
Senior Director, Contracts | Passes on Personal Data protection responsibilities to vendors by ensuring Data Processing Agreements are signed. Improves vendors’ awareness levels of Personal Data protection, as well as the flow down of Personal Data requirements to any third party a vendor is using. |
Associate Director, Corporate Services and Compliance | Leads vendor evaluation and qualification, management and oversight. |
VP, Quality Assurance | Ensures audits are conducted on how well business functions implement this policy. |
3.3.11. Amendments
Allucent reserves the right to amend this policy from time to time to ensure it remains consistent with the principles.
3.3.12. Conflicts of Law
This policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Allucent operates. In the event of any conflict between this policy and applicable laws and regulations, the latter shall prevail.
4.0 Terms and Definitions
Agent is any third party that uses Personal Data provided to it by or on behalf of Allucent to perform tasks on behalf of and under the instructions of Allucent.
Allucent includes all CATO SMS and Pharm-Olam affiliates worldwide.
Controller is the natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Personal Data includes any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing is an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Processor is a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of a Controller.
Special Categories of Personal Data refers to personal information that reveals sensitive data, such as race, ethnic origin, political opinions, religious or philosophical beliefs, criminal records or trade union membership, or that concerns health or sexual orientation.
Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
First-Party
Host | Name | Details |
---|---|---|
info.allucent.com | __cf_bm | Description: The __cf_bm cookie is a cookie necessary to support Cloudflare Bot Management, currently in private beta. As part of our bot management service, this cookie helps manage incoming traffic that matches criteria associated with bots. This is a CloudFoundry cookie Lifespan: a few seconds |
info.allucent.com | __cfruid | Description: Cookie associated with sites using CloudFlare, used to identify trusted web traffic. Lifespan: 1 year |
allucent.com | OptanonConsent | Description: This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor. Lifespan: 1 year |
allucent.com | OptanonAlertBoxClosed | Description: This cookie is set by websites using certain versions of the cookie law compliance solution from OneTrust. It is set after visitors have seen a cookie information notice and in some cases only when they actively close the notice down. It enables the website not to show the message more than once to a user. The cookie has a normal lifespan of one year and contains no personal information. Lifespan: 1 year |
Performance Cookies
First-Party
Host | Name | Details |
---|---|---|
allucent.com | _ga_xxxxxxxxxx | Description: Used by Google Analytics to identify and track an individual session with your device. Lifespan: 1 year |
allucent.com | _gid | Description: This cookie name is associated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited._gid Lifespan: a few seconds |
allucent.com | _uetvid | Description: This is a cookie utilised by Microsoft Bing Ads and is a tracking cookie. It allows us to engage with a user that has previously visited our website. Lifespan: 1 year |
allucent.com | __hssrc | Description: This cookie name is associated with websites built on the HubSpot platform. It is reported by them as being used for website analytics. Lifespan: 1 year |
allucent.com | _ga | Description: This cookie name is associated with Google Universal Analytics – which is a significant update to Google’s more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners. Lifespan: 1 year |
allucent.com | __hstc | Description: This cookie name is associated with websites built on the HubSpot platform. It is reported by them as being used for website analytics. Lifespan: 5 months |
allucent.com | __hssc | Description: This cookie name is associated with websites built on the HubSpot platform. It is reported by them as being used for website analytics. Lifespan: a few seconds |
Functional Cookies
First-Party
Host | Name | Details |
---|---|---|
allucent.com | hubspotutk | Description: This cookie name is associated with websites built on the HubSpot platform. HubSpot report that its purpose is user authentication. As a persistent rather than a session cookie it cannot be classified as Strictly Necessary. Lifespan: 5 months |
Third Party
Host | Name | Details |
---|---|---|
vimeo.com | _cfuvid | Description: This domain is owned by Vimeo. The main business activity is: Video Hosting/Sharing Lifespan: 1 year |
vimeo.com | __cf_bm | Description: This is a CloudFoundry cookie Lifespan: a few seconds |
Targeting Cookies
First-Party
Host | Name | Details |
---|---|---|
allucent.com | _gat_UA- | Description: Google Analytics Cookies Lifespan: a few seconds |
allucent.com | _gcl_au | Description: Used by Google AdSense for experimenting with advertisement efficiency across websites using their services Lifespan: 2 months |
allucent.com | _uetsid | Description: This cookie is used by Bing to determine what ads should be shown that may be relevant to the end user perusing the site. Lifespan: a few seconds |
Third Party
Host | Name | Details |
---|---|---|
hsforms.com | _cfuvid | Description: This domain is owned by Hubspot. The company provides a range of online marketing and sales technology and services. Lifespan: 1 year |
linkedin.com | bcookie | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: 1 year |
hubspot.com | _cfuvid | Description: This domain is owned by Hubspot. This company provides a range of online marketing and sales technology and services. Lifespan: 1 year |
bing.com | MSPTC | Description: This domain is owned by Microsoft – it is the site for the search engine Bing. Lifespan: 1 year |
linkedin.com | UserMatchHistory | Description: Used to track usage of the embedded video player. Lifespan: 1 month |
bat.bing.com | MR | Description: This domain is owned by Microsoft – it is the site for the search engine Bing. Lifespan: 6 days |
hsforms.com | __cf_bm | Description: This is a CloudFoundry cookie Lifespan: a few seconds |
youtube.com | VISITOR_INFO1_LIVE | Description: This cookie is used as a unique identifier to track viewing of videos Lifespan: 5 months |
google.com | NID | Description: This domain is owned by Google Inc. Although Google is primarily known as a search engine, the company provides a diverse range of products and services. Its main source of revenue however is advertising. Google tracks users extensively both through its own products and sites, and the numerous technologies embedded into many millions of websites around the world. It uses the data gathered from most of these services to profile the interests of web users and sell advertising space to organisations based on such interest profiles as well as aligning adverts to the content on the pages where its customer’s adverts appear. Lifespan: 6 months |
linkedin.com | li_sugr | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: 2 months |
youtube.com | VISITOR_PRIVACY_METADATA | Description: YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Lifespan: 5 months |
hubspot.com | __cf_bm | Description: This is a CloudFoundry cookie Lifespan: a few seconds |
www.linkedin.com | bscookie | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: 1 year |
bing.com | MUID | Description: This domain is owned by Microsoft – it is the site for the search engine Bing. Lifespan: 1 year |
hsforms.net | __cf_bm | Description: This is a CloudFoundry cookie Lifespan: a few seconds |
youtube.com | YSC | Description: YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Lifespan: 1 year |
linkedin.com | AnalyticsSyncHistory | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: 1 month |
doubleclick.net | test_cookie | Description: This domain is owned by Doubleclick (Google). The main business activity is: Doubleclick is Googles real time bidding advertising exchange Lifespan: a few seconds |
linkedin.com | __cf_bm | Description: This is a CloudFoundry cookie Lifespan: a few seconds |
doubleclick.net | IDE | Description: This domain is owned by Doubleclick (Google). The main business activity is: Doubleclick is Googles real time bidding advertising exchange Lifespan: 1 year |
linkedin.com | lidc | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: a few seconds |
Unknown Cookies
Third Party
Host | Name | Details |
---|---|---|
kwesforms.com | kwesforms_session | Description: This domain is owned by Kwes, LLC. KwesForms is a service for building contact forms for websites. Lifespan: a few seconds |
px.ads.linkedin.com | ar_debug | Description: This domain is owned by LinkedIn Corporation. LinkedIn is a business- and employment-oriented online service that operates via websites and mobile apps. Lifespan: 1 month |
kwesforms.com | XSRF-TOKEN | Description: This cookie helps with site security in preventing Cross-Site Request Forgery attacks. Lifespan: a few seconds |