Effective Date: September 29, 2021
On July 16, 2020, the Court of Justice of the European Union issued a judgement invaliding the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield. As a result, the EU-US Privacy Shield may no longer be relied upon as a valid mechanism to transfer Personal Data from the European Union to the United States.
On September 8, 2020, Switzerland’s Federal Data Protection and Information Commissioner (“FDPIC”) issued an opinion concluding that the Swiss-US Privacy Shield Framework does not provide an adequate level of protection to transfer Personal Data from Switzerland to the United States. Organizations wishing to utilize the Swiss-US Privacy Shield as a transfer mechanism to support Personal Data transfers from Switzerland to the United States should contact the FDPIC or their legal counsel.
Notwithstanding these events, the US Department of Commerce has continued to administer, and Syneos Health has elected to continue its participation in, the EU-US and Swiss-US Privacy Shield programs.
Further, on January 1, 2021, the United Kingdom ("UK") finalized its exit from the European Union. The UK allows for the transfer of personal data to countries outside the UK only if the transfer is consistent with a UK adequacy decision or is permitted under a safeguard or exception provided under UK law. As of this time, the UK has not adopted an adequacy decision for the United States or for the EU-U.S. Privacy Shield Framework. Organizations wishing to understand options for the transfer of personal data from the UK to the United States utilizing an adequate safeguard or exception provided under UK law should contact the UK’s Information Commissioner’s Office or consult with their legal counsel.
Certain Syneos Health entities, Syneos Health Clinical, Inc., Syneos Health, LLC, Syneos Health Clinical, LLC, Syneos Health Clinical Research Services, LLC, Synteract, Inc., and CU-Tech LLC, (collectively, the “Privacy Shield Entities,” “we,” “us,” or “our”), have certified to the U.S. Department of Commerce our compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of certain Personal Data (as described below) transferred from the European Union and/or Switzerland, as applicable, to the United States (“Privacy Shield”). In our certification, we commit to adhering to the Privacy Shield Principles with respect to such information (“Principles”). If there is any conflict between the terms in this statement and the Principles, the Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Types of Data Collected
This statement applies to Personal Data within the scope of our Privacy Shield certification:
- Human Resources Data regarding current, former, and prospective (1) Officers, directors, employees, contract laborers, or temporary employees (collectively, “Associates”); (2) our Agents, including consultants or representatives; (3) Beneficiaries identified by Associates; and (4) Retirees located in the European Union or Switzerland, which we process for the purpose of operating and managing the Privacy Shield Entities, performing human resource administration, and maintaining contact with individuals.
- Personal Data regarding clinical research participants; study investigators and their staff; medical and healthcare professionals; pharmaceutical industry experts and opinion leaders; customers, such as pharmaceutical, medical device, and biotechnology companies; vendors; contractors; consultants; and consumers for the purposes of marketing and business development activities, managing ongoing business relationships and delivering our services.
For the purposes of this statement, “Personal Data” means information that relates to a natural person (a “Data Subject”) and can be linked either directly or indirectly to that Data Subject. In addition, certain Personal Data covered by our Privacy Shield certification may be subject to more specific privacy policies or to contract terms. For example:
- Certain Syneos Health websites maintain their own privacy policies that apply to Personal Data collected via those sites. Where the website pertains to the business of the Privacy Shield Entities, those privacy policies apply to the Privacy Shield Entities. Such policies may be accessed through those websites.
- Personal Data obtained from or relating to employees or Syneos Health group companies or the staff of study investigators or sponsors may be further subject to the terms of specific Privacy Notices provided to Data Subjects, to contractual arrangements, and to and applicable laws and professional standards.
In the case of any conflict between these policies and contracts and the Principles, the Principles will control.
Jurisdiction of the FTC
We are committed to upholding the Principles and confirm that we are subject to the investigatory and enforcement powers of the US Federal Trade Commission.
We collect and process Personal Data from certain Data Subjects and for the purposes described in this statement, which is designed to inform Data Subjects about the Personal Data collected from them and how that information is used may be provided through this statement, other Syneos Health group website notices, or other direct forms of communication with appropriate parties, such as contracts or agreements.
We will not process Personal Data covered by this statement for purposes other than those for which the information was originally obtained or subsequently authorized by the Data Subject unless the Data Subject consents to the processing, or unless an exception (including another lawful basis for such processing) under applicable law applies. We also provide Data Subjects with the opportunity to withdraw consent at any time, as stated in our Privacy Notice.
Disclosures & Accountability for Onward Transfers
We may transfer Personal Data to third parties, including transfers from one country to another. We may disclose a Data Subject’s Personal Data to third parties under one or more of the following conditions:
- To (a) another member of a Syneos Health group company, in connection with the operation of our business; (b) third-party service providers, such as vendors, consultants, and advisors, in connection with the operation of our business (including to establish, maintain, or defend legal claims); (c) customers and prospective customers, such as sponsors, in the course of pursuing business opportunities and performing our services; and (d) newly-formed or acquiring organizations in the event of a merger, sale, or a transfer of some or all of our business. We maintain written contracts with these third parties that are designed to provide the same level of privacy protection and security as required by the Principles. To the extent provided by the Principles, we remain responsible and liable under the Principles if a third party it engaged processes Personal Data in a manner that is inconsistent with the Principles, unless we prove that we are not responsible for the matter giving rise to the damage;
- To third parties with the Data Subject’s consent;
- To public authorities when we receive lawful requests from them (such as court orders, or government inquiries), including to meet national security or law enforcement requirements.
Data Subjects in the European Union and Switzerland have the right to access data about them, and may have the right under certain circumstances to correct, amend, restrict, port, or delete Personal Data. Where we are the Data Controller, we will honor such rights, subject to the limitations and exclusions provided by law. Where we are processing the Personal Data of such individuals for our customers, we will refer any requests to access, correct, amend, restrict, port or delete Personal Data to the applicable Data Controller, if we have appropriate information to do so, and will provide reasonable support to the Data Controller in responding to your request. To convey your request to the relevant customer, we will need your name and contact information, the name of the customer to whom you provided your data, and whether you are making the request on your own behalf or on behalf of another person. All requests to exercise any of the foregoing rights should be sent to email@example.com.
We have employed reasonable and appropriate measures designed to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation
We collect and process Personal Data only to the extent that it is compatible with the purposes for which it was collected or subsequently authorized by the Data Subject. We do not retain Personal Data after it no longer serves the purposes for which it was collected or subsequently authorized. We take reasonable steps designed to ensure that Personal Data is accurate, complete, current, and reliable for its intended use.
Contacting Us; Dispute Resolution
We are committed to addressing questions and resolving complaints about our collection and/or use of your Personal Data. Should you have any questions about this statement or our compliance with the Principles, or if you wish to raise a complaint, please contact us at firstname.lastname@example.org. We will respond to your complaint within 45 days of its receipt.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily:
- For disputes involving HR data: Please contact the relevant supervisory authorities for the European Union or the Swiss FDPIC, and we will cooperate with such authorities with regard to the investigation in an effort to resolve the complaint. We have committed to cooperate with the relevant supervisory authorities with regard to unresolved Privacy Shield complaints concerning human resources data transferred in the context of the employment relationship and will comply with advice given by the competent regulatory authority.
- For all other data: Please contact our US-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. If your inquiry or complaint is not addressed satisfactorily, you may contact the relevant supervisory authorities for the European Union or the Swiss FDPIC, and we will cooperate with such authorities with regard to the investigation in an effort to resolve the complaint.
In certain cases, you may have the option to select binding arbitration under the Privacy Shield Panel for the resolution of your complaint. For further information, please see the Privacy Shield website.
We may update this statement from time to time by publishing an updated version to this site. If we propose to make any material changes, we will notify you by means of a notice on this page prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.