This policy applies to all OXON employees and all third parties responsible for the processing of personal data on behalf of OXON.
This Policy applies to all personal data of individuals, whether in electronic or paper format, including personal data of OXON personnel, health care professionals, subjects of clinical studies, clinical investigators, clients, suppliers, and business partners.
OXON is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of OXON employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data.
OXON AS A CONTROLLER
The data controller of your personal data is the OXON entity with which you interacted to provide your personal information. The OXON entities can be found at http://www.oxonepi.com/contact/. Each OXON entity acting as a data controller can be contacted via the Data Protection Officer at firstname.lastname@example.org
INFORMATION WE MAY COLLECT AND PURPOSES
We may collect and process your personal information in the following main contexts:
OXON collects information on staff for human resources management. We may collect name, surname, address, e-mail, birth date, bank account details, phone number, time tracking information, etc., for processing salaries and for satisfying legal requirements in regard of social security.
OXON also collects personal information of job applicants from their curriculum vitae (CV) for evaluating the applicant’s suitability to work for OXON.
OXON may process similar information relating to consultants contracted on a freelance basis.
OXON may process contact and professional information from consultants, health care providers, contractors, business contacts, business partners and third-party service providers. OXON will process the names, contact details and other professional information on these individuals for legitimate business-related purposes.
For individuals participating in clinical studies being managed by OXON as a CRO, including subjects, care givers, and relatives, clinical investigators, other study staff, consultants, contractors, sponsor personnel, and third-party service providers, personal data may be used to carry out the studies and other study-related services.
As a standard in the execution of clinical studies, study subject's information is pseudonymized by a code in the records collected by OXON. Only study doctors and authorized study related staff may have access to the information that permits the identification of the study subject
OXON may also collect and process the following data about web visitors:
- Information that visitors provide by filling in forms on our website www.oxonepi.com (“Website”). This includes information provided at the time of using our Website, making a booking for webinars or requesting further information.
- OXON may also ask visitors for information when reporting a problem with our Website.
- If visitors contact us, we may keep a record of that correspondence.
- OXON may also ask visitors to complete surveys that we use for research purposes, although they do not have to respond to them.
- Details of visitors visits to our Website and the resources that they access
OXON strives to process the provided data in order to manage the corresponding contractual relationship, manage the submission of the requested information, provide offers for our services and/or products that may be of interest and/or manage their application.
IP Addresses and Cookies:
- estimate our audience size and usage pattern;
- store information about your preferences, and so allow us to customise our Website according to your individual interests;
- track your activities on our Website;
- speed up your searches; and
Third Party Websites
Our Website may, from time to time, contain links to and from the websites of third-party websites. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and that we do not accept any responsibility or liability for third party policies.
Please check these policies before you submit any personal information to these websites.
LAWFULNESS OF PROCESSING
OXON will process personal data in accordance with all applicable laws and applicable contractual obligations. The data requested must be appropriate, pertinent and strictly necessary, and, in no circumstance, will the data subject be obliged to provide such data, but lack of such communication may affect the objective of the service or imply the inability of its execution.
OXON will process personal data only if, and to the extent that at least one of the following lawful bases are met:
The data subject has given consent to the processing of their personal data for one or more specific purposes.
The processing is necessary in order to enter into or perform a contract with the data subject
Compliance with legal obligations
The processing is necessary for compliance with a legal obligation under EU law or the laws of a Member State.
The processing is necessary to protect the "vital interests" of the data subject or of another natural person
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child.
THIRD PARTIES TO WHOM WE MAY TRANSFER THE DATA
OXON will only disclose (transfer, share, send, or otherwise make available or accessible) the personal data to third parties in the ways set out in this Policy.
OXON may disclose subjects’ personal data to a third party or use it for a purpose other than the purpose for which it was originally collected or subsequently authorized by the data subject, only if the data subject consents to such further processing.
OXON may share subjects’ personal data with its agents, contractors, clients or partners in connection to services that they perform for, or with, OXON.
OXON shall ensure that any third party to which personal data may be disclosed subscribes to the principles set hereby and is subject to applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.
OXON may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection, they must be made in compliance with an approved transfer mechanism.
HOW LONG WE WILL KEEP THE PERSONAL INFORMATION
OXON will not retain data longer than necessary to fulfil the purposes for which it was collected, according to our contractual arrangements, or as required by applicable laws and regulations.
HOW WE KEEP THE PERSONAL INFORMATION SAFE
Although total security cannot be guaranteed, OXON work hard to maintain physical, electronic and procedural safeguards to protect your information in accordance with applicable data protection requirements.
OXON will employ reasonable and appropriate technical, administrative and physical safeguards designed to protect personal data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data OXON is processing.
All staff members of OXON participating in any of the processing stages shall process and handle the personal data under strict care and confidentiality.
Regarding our website, unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
OXON AS PROCESSOR
Where OXON receives personal data from other entities in the EU or European Economic Area, including when acting as a CRO processing personal data under the direction of a customer, it shall use such information in accordance with the notices provided by such entities and the choices made by the data subjects to whom such personal data relates.
All clinical study information processed by OXON is done so under contract with our clients/sponsors. In terms established by the GDPR, OXON considers that the client/sponsor is the “controller”, that is ultimately in control of how and why clinical study data are processed, whilst OXON is the “processor”, that acts on the sponsor’s directions.
As a CRO, OXON collects, hosts and analyses data related to clinical studies subjects, on behalf and according to the directions of our clients/sponsors. In order to comply with article 28 of the GDPR, OXON will enter into Data Processing Agreements with all our customers/sponsors.
To enhance privacy and in accordance with Good Clinical Practice, study subjects’ personal data is non-identified, wherever possible.
APPLICABLE RIGHTS WHEN PROVIDING DATA
The data protection rights applicable to the interested parties are as follows:
- Right to be informed
- The right of access to personal data
- The right of rectification or erasure
- The right to object
- The right to restrict processing
- The right to data portability
Holders of the personal data provided may exercise the rights on personal data protection by sending a written request to OXON registered address or to the e-mail to such effects email@example.com
Models, application forms and other information regarding rights is available in the website www.aepd.es of the Control Authority, the Spanish Data Protection Agency, hereinafter, AEPD for its abbreviation in Spanish.
If a party considers that OXON is not correctly processing, any claims can be sent to firstname.lastname@example.org or to the corresponding data protection Authority, Agencia Española de Protección de Datos in Spain, www.agpd.es
NOTIFICATION OF CHANGES
Communications, queries or requests to exercise informational rights or complaints can be addressed to the attention of the Data Protection Officer, OXON Risk Management, S.L. Calle doctor Fleming 51, 28036 Madrid, Spain. Email: email@example.com.