Effective Date: 24AUG2023
AtaCor Medical, Inc. (“AtaCor”, “we”, “our” or the “Company”, and their cognates) respects the privacy of the individuals who take part in its clinical investigations (“Study Participants”) and other individuals whose data we process (collectively “data subjects” or “you”), and we are committed to protecting personal information that is shared with AtaCor.
AtaCor is the Sponsor of clinical investigations (each a “Study”) aiming to generate safety and performance data of the latest AtaCor EV Temporary Pacing Lead System and the AtaCor EV-ICD Lead System. Contract Research Organizations (the “CRO”s) recruit participants for the Studies and one or more investigators (each an “Investigator”) run the Study at one or more sites (each a “Hospital”). The Investigator provides data to AtaCor in the US in a pseudonymized form. AtaCor does not have access to identifying data of the Study Participants and only the Investigator will have the key to the pseudonymization of the data.
For the purposes of European Economic Area data protection law (the “Data Protection Law”), AtaCor will usually be a data controller (the “Controller”) in relation to the personal data of Study Participants, Investigators and Hospital personnel. The CROs, the Investigators and the Hospitals are data processors on behalf of AtaCor. Various technology providers, analysts and others associated with the Study will also be processors of the personal data (each a “Processor”) on behalf of AtaCor. We are also the data Controller for data provided through contracts and business arrangements for the Study, such as contracts with the partner Hospitals and with the CROs.
- WHICH INFORMATION MAY WE COLLECT? HOW DO WE COLLECT IT?
Summary: We collect data about you in connection with the Study, which includes personal details and health data. For example, our Processors collect this data on our behalf by asking you for it and by monitoring your health throughout the Study and/or by collecting data from your medical device (e.g., implantable pacemaker, ICD).
We collect data about you in connection with the Study and your transactions with us. We collect this data directly from you or, particularly in connection with the Study, our Processors will collect that data on our behalf.
One type of data we collect from you is non-identifiable and anonymous information (“Non-Personal Data”). We also collect, or our Processors collect on our behalf, several categories of personal data (“Personal Data”).
We elaborate next on two categories of Personal Data we may collect from you or that may be collected from you on our behalf.
A. Personal Data we collect about you from your transactions with us:
We collect Personal Data provided consciously and voluntarily by you, or by an organization you represent or are associated with. This may include your name (first and last), email address, phone numbers, picture, postal address, position and organization name, professional qualifications and other information you may choose to provide to AtaCor.
You do not have any legal obligation to provide any information to AtaCor, however, we require certain information to perform our contractual obligations. If you choose not to provide us with certain information, then we may not be able to work with you or your organization.
AtaCor may also collect the email addresses of people who communicate with AtaCor via email. We collect Personal Data required to enter into a business relationship when you register interest and/or submit a request that we contact you.
B. Personal Data that is collected on our behalf by our Processors:
Our Processors collect your Personal Data when you provide them such information by entering it manually or automatically. They also collect your Personal Data when you undergo medical assessments at a Hospital and during the course of the Study.
The CROs, the Hospitals and the Investigators collect and process the Personal Data of Study Participants on our behalf. This may include Study Participants’ names, postal address, email address, phone numbers as well as gender and age. This also includes health data, which is a special category of Personal Data, including data collected directly from the Data Subjects both orally, and in writing, as well as during tests, the relevant surgical procedures, and samples taken in the Study, as detailed in the Study protocol and in the informed consent form. Study Participants’ emergency contacts’ data is also collected during the Study on our behalf, and includes name and contact information. Hospital personnel and Investigator data is also collected on our behalf, such as by our CROs, and includes names, role, contact information and professional qualifications.
AtaCor makes reasonable efforts to ensure the Personal Data it receives regarding its Study Participants is in pseudonymized form. In general, AtaCor personnel does not receive information that would allow AtaCor to identify the names of Study Participants or other individuals using AtaCor devices or services. It is AtaCor’s policy to de-identify any information it receives in the event it is not already in pseudonymized form and to notify the sender so that additional information that is not pseudonymized is not transmitted to AtaCor again.
- WHAT ARE THE PURPOSES OF PERSONAL DATA WE COLLECT? WHAT ARE THE LAWFUL BASES FOR PROCESSING?
Summary: We process Personal Data on several different lawful bases, including contract, legitimate interest, legal obligation, and scientific research.
|(i)||We process Personal Data in connection with the research activities involved in the Study based on our legitimate interest to conduct scientific research (GDPR Article 6(1)(f)) and special-category health data based on scientific research (GDPR Article 9(2)(j)). We do this through questionnaires and/or your Personal Data is collected by the Investigators during the Study.|
|(ii)||We and our Processors process Personal Data necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract (GDPR Article 6(1)(b)). We do this by:|
|(iii)||We process Personal Data based on legitimate interests of ours, of our Data Subjects or of a third party (GDPR Article 6(1)(f)) including:|
|(iiii)||We process Personal Data where it is necessary for compliance with a legal obligation to which we are subject (GDPR Article 6(1)(c)):|
- SHARING DATA WITH THIRD PARTIES
Summary: We share your Personal Data with third parties to carry out the Study. We take steps to ensure that those third parties treat your data appropriately, including in most cases, by sharing data in a pseudonymized form.
We transfer Personal Data to third parties in a variety of circumstances. We take steps to ensure that these third parties use your information only to the extent necessary to perform their functions, and to have a contract in place with them to govern their processing on our behalf. These third parties may assist us in collecting the Personal Data, carrying out the Study, analyzing data, providing IT and other support services or in other tasks. These third parties may also include analytics and search engine providers that assist us in the improvement and optimization of our marketing.
For Study data, these third parties include the Hospitals, Investigators, CROs, auditors, regulatory authorities, and the Ethics Committees (EC)/Institutional Review Board (IRB). Your medical records, which contain information allowing your identification (such as name and contact information), will be stored securely at your Hospital and accessed by the Study personnel. AtaCor will usually only receive pseudonymized data, under unique study-specific codes, and will not be able to identify you from this data. It is AtaCor’s policy to de-identify any information it receives in the event it is not already in pseudonymized form and to notify the sender so that additional information that is not pseudonymized is not transmitted to AtaCor again. Likewise, the Personal Data we share with third parties will generally be pseudonymized, unless access to directly identifying data is required specifically for auditing, monitoring, and inspection purposes. Furthermore, third parties are required by law and contractual obligations to maintain confidentiality of your Personal Data. The results of the Study may be published in medical journals or books or may be used for educational purposes or for presentations to regulatory organizations. Your identity will be kept confidential and will not be used in any publication or educational material without your specific permission.
We periodically add and remove third party providers. At present, our third-party providers to whom we may transfer Personal Data also include the following:
- Data Monitoring Committees;
- Scientific Advisory Boards;
- Competent authorities;
- IT support staff, e-Clinical platforms and other electronic data base providers and electronic storage processors;
- Our lawyers, accountants, local payroll service providers, and other standard business service providers; and
- Other industry standard business software and partners.
In addition, we may disclose your Personal Data to third parties if some or all of our Company’s assets are acquired by a third party including by way of a merger, share acquisition, asset purchase or any similar transaction, in which case Personal Data may be one of the transferred assets. Likewise, we may transfer Personal Data to third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal or audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply our terms and other agreements with you or with a third party, or to assert or protect the rights, property, or safety of AtaCor. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.
For avoidance of doubt, AtaCor may transfer and disclose non-personal data to third parties at its own discretion.
- WHERE DO WE STORE YOUR DATA?
We store your Personal Data in servers owned or controlled by AtaCor, or processed by third parties on behalf of AtaCor, by reputable cloud-service providers in the US and abroad (see the following section regarding international transfers) such as Merative (formerly IBM Watson Health) and Florence Healthcare.
- INTERNATIONAL DATA TRANSFERS
- To the United States of America: All Personal Data transfers to the US are subject to Data Protection Agreements which contain the European Commission’s Standard Contractual Clauses or other legal mechanisms to conduct such transfers.
We may transfer your Personal Data outside of the EEA, in order to fulfil the purposes described in section 2 above, including in particular the following:
- Store or backup the information;
- Enable us and our Processors to analyze the clinical results of the Study; and
- Fulfill any legal, audit, ethical or compliance obligations which require us to make that transfer.
- DATA RETENTION
Summary: We retain Personal Data connected to the Study in accordance with applicable regulations and standard industry practice. Personal Data that is no longer required will be anonymized or deleted.
AtaCor will retain Personal Data related to the Study throughout the Study, as well as during the period necessary for the AtaCor to maintain the scientific integrity of the study, comply with its legal and ethical obligations, to resolve disputes and to enforce agreements, to meet any audit, compliance, research and other legitimate best-practices. Study documentation shall be kept for a period of 15 years after the study has ended, or in the event that the study-related medical device is subsequently placed on the market, at least 15 years after the last device has been placed on the market, or as otherwise required by local regulations. Your Personal Data may continue to be processed in pseudonymized form after the end of the study or after your withdrawal from the Study if it is necessary for reasons of public interest in public health, for archiving purposes in the public interest, for scientific research purposes or for statistical purposes (but always in compliance with applicable laws and regulations). AtaCor may, at its discretion, require its Processors to permanently delete all the Personal Data they process on behalf of AtaCor.
AtaCor will retain other Personal Data for as long as required in our view, to comply with our contractual, legal, and other obligations to resolve disputes and to enforce agreements. We will also retain Personal Data to meet any audit, compliance, and business best-practices.
- SECURITY AND STORAGE OF INFORMATION
Summary: We implement and enforce strong security measures to protect your Personal Data.
We take great care in implementing, enforcing, and maintaining the security of the Personal Data we process. AtaCor implements, enforces, and maintains security measures, technologies and policies to prevent unauthorized or accidental access to or destruction, loss, modification, use or disclosure of Personal Data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary considering the nature of the data in question and the risks to Data Subjects, we encrypt data. Likewise, we take industry standard steps to ensure our services are safe. We require that our Processors who collect and process your Personal Data on our behalf take similar steps to enforce and maintain security measures.
Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
AtaCor shall act in accordance with its policies and with applicable law to promptly notify the relevant authorities and Data Subjects if any Personal Data processed by AtaCor is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. AtaCor shall promptly take reasonable remedial measures.
- DATA SUBJECT RIGHTS
Summary: Data Subjects in the EU have rights to data portability, rights to access data, rectify data, object to processing and erase data and other rights, all depending on various circumstances.
Data Subjects with respect to whose data GDPR applies, have rights under GDPR and local laws, including, in different circumstances, rights to data portability, rights to access data, rectify data, object to processing, and erase data. It is clarified for the removal of doubt, that Data Subject rights cannot be exercised in a manner inconsistent with the rights of AtaCor employees and staff, with AtaCor proprietary rights, and third-party rights. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, Data Subjects generally have a right to withdraw their consent.
Regarding Study data, the extent to which you may exercise these rights will be limited by the requirements of the Study, the principles of the investigative site, and applicable laws and regulatory requirements. If you restrict or object to the processing of your Personal Data, you may no longer be able to participate in the Study. Although Data Subjects consent to take part in the Study, their Personal Data is not processed in reliance on their consent but based on GDPR Article 9(2)(j) scientific research. It is clarified for removal of doubt that where your Personal Data has already been processed in relation to the study or included in academic research material, it may no longer be feasible for such data to be accessed, erased, rectified etc.
A Data Subject who wishes to modify, delete or retrieve their Personal Data or exercise other data subject rights, may do so by contacting AtaCor’s Data Protection Officer at firstname.lastname@example.org. Study Participants may also contact their Hospital or Study Investigator to exercise such rights.
Note that AtaCor may have to undertake a process to identify a Data Subject exercising their rights. AtaCor may keep details of such rights exercised for its own compliance and audit requirements. Where relevant, AtaCor will require its Processors to act in accordance with the Data Subject access request. Please note that Personal Data may be either deleted or retained in an aggregated manner without being linked to any identifiers or Personal Data, depending on technical commercial capability. Such information may continue to be used by AtaCor.
Data Subjects in the EU have the right to lodge a complaint, with a data protection supervisory authority in the place of their habitual residence. If the supervisory authority fails to deal with a complaint, you may have the right to an effective judicial remedy.
We do not knowingly collect or solicit information or data from or about children under the age of 18. Participants in the Study are only eligible if age 18 or older. If we learn that we have collected or have been sent Personal Data from a child under the age of 18, we will delete that Personal Data as soon as reasonably practicable without any liability to AtaCor. If you believe that we might have collected or been sent information from a minor under the age of 18, please contact AtaCor’s Data Protection Officer at email@example.com as soon as possible.
- CONTACT US
Our data protection officer (DPO) may be contacted at: firstname.lastname@example.org.
Our GDPR Article 27 EU representative, Data Protection Representative Ltd., may be contacted at email@example.com.