Effective: January 1, 2021
INTRODUCTION AND SCOPE
Patient Advertising Guru, Inc., a New York corporation, with offices located at 95 Broadhollow Road, Melville, New York 11747 USA (“PAG”,” “we,” “us,” “our”) takes the protection of Personal Data very seriously. This Policy addresses data subjects whose Personal Data we may receive through subdomains mentioned below under Covered Entities.
If you are a resident of the State of California, this Policy also incorporates our Privacy Notice for California Residents which includes additional information required to be provided under California law.
If you are a resident of the European Union, this Policy also incorporates our compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as well as the General Data Protection Regulation (GDPR).
This Policy covers Patient Advertising Guru, Inc, the following affiliate entities and their subdomains:
Throughout this Policy, when we refer to “PAG” we mean Patient Advertising Guru Inc, its affiliates and their subdomains, collectively.
In the context of this Policy, PAG acts as a data controller or data processor for the Personal Data we process, depending on our relationship with you and with our Clients. For example, when we process your Personal Data when you contact us through our website or if we return your inquiry by phone at your request, we act as a data controller. On the other hand, we generally act as a data processor in connection with services provided to our Clients.
CATEGORIES OF PERSONAL DATA
We may process the following types of Personal Data:
- Biographical information, such as your first and last name, age, and date of birth;
- contact information, such as your email address and phone number;
- Location data and online identifiers, such as IP address;
- web application usage data; and health data (sensitive personal data), such as information about medical symptoms or prescribed medications, which you voluntarily provide in order to determine your eligibility.
HOW WE RECEIVE PERSONAL DATA
You may provide us with personal data when you:
- visit our website (by way of our cookies and other tracking technologies) or,
- speak to a research site by phone, who may input additional data into our secure system
After you enter your name and contact information into the form on our website, a participating research site from your area will call you at the phone number you provided. During this phone call, the study representative may ask you various of questions in order to determine your eligibility to participate in the research study in which you have responded about.
We do not collect your information for any other research study opportunity other than the study you’ve inquired about, nor will we ever contact you regarding any future study opportunities. If we receive your Personal Data from a third party, we will notify you, where required by applicable laws, without undue delay.
BASIS OF PROCESSING
Where we act as a data controller within the scope of this Policy, we may rely on one or more of the following legal grounds for processing your Personal Data:
- your explicit consent;
- the processing is necessary for the performance of a contract with you, such as providing you with our services or to perform related pre-contractual steps at your request prior to entering into a contract;
- the need to pursue the legitimate interests of our Clients, such as finding qualified patients to participate in clinical trials;
- the need to comply with legal obligations; and
- any other ground, as required or permitted by law.
Where we rely on your consent as a legal ground for processing your Personal Data, you may withdraw your consent at any time. However, if you withdraw your consent, it will not affect the lawfulness of the processing that occurred based on your consent prior to your withdrawal.
Where we receive your Personal Data directly from you for the purpose of providing you with our services, we require your Personal Data in order to perform our contractual obligations owed to you. Without the necessary Personal Data, we will not be able to provide our services to you.
Where we act as a data processor within the scope of this Policy, we will process your Personal Data based on the documented instructions of the relevant data controllers.
PURPOSES OF PROCESSING
We process Personal Data for the purposes of:
- assisting our Clients in finding clinical trial participants;
- providing other services to our Clients;
- enabling the use of our website and the services we provide to potential participants in clinical trials;
- responding to inquiries, and/or other requests or questions;
- targeting our advertising.
DATA RETENTION PERIODS
Where we act as a data controller and when the purposes of processing are satisfied, we will retain your Personal Data for up to six months, unless you request that we delete your Personal Data sooner.
Where we act as a data processor, we will delete your Personal Data within six months of receiving an instruction to do so by the relevant data controller.
SHARING PERSONAL DATA WITH THIRD PARTIES
We may share your Personal Data with other entities. Such third parties may include:
- our Clients, in which case the transfers of your sensitive Personal Data are taking place only based on your explicit consent;
- those providing and managing IT systems and infrastructure for PAG;
- those providing communications software;
- e-mail service providers;
- customer relationship management (CRM) service providers;
- those providing cloud storage services;
- those providing enterprise resource planning software;
- social media services (in order to identify other potential participants for clinical trials).
We will require that these third parties maintain at least the same level of privacy and security that we maintain for such Personal Data. PAG remains liable for the protection of Personal Data that we transfer to our service providers.
OTHER DISCLOSURE OF YOUR PERSONAL DATA
We may disclose your Personal Data:
- to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders;
- if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; or
- to our subsidiaries or affiliates only if necessary for business and operational purposes.
If we must disclose your Personal Data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your Personal Data will maintain the privacy or security of your Personal Data.
DATA INTEGRITY & SECURITY
PAG has implemented and will maintain technical, organizational, and physical security measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction.
- ACCESS & REVIEW
If you are a data subject about whom we store Personal Data, you may have the right to request access to, and the opportunity to update, correct, port, or delete such Personal Data. Under certain circumstances, you may have a right to restrict or object to the processing of your Personal Data. You may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent that you have previously provided for your Personal Data to be shared with third parties, except as required by law. You also have the right to opt out if your Personal Data is used for any purpose that is materially different from, but nevertheless compatible with, the purpose(s) for which it was originally collected or subsequently authorized by you.
Where we act as a data controller, to submit such requests or raise any other questions, please contact us using the information provided in the Contact Us section of this Policy.
Where we act as a data processor, you may exercise your rights under this section by contacting the data controller who has provided your Personal Data to us.
PRIVACY OF CHILDREN
We do not knowingly collect Personal Data from anyone under 18. In the event that we learn that we process Personal Data from a child under age 13, we will delete the information that we have stored as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us using the information provided in the Contact Us section of this Policy.
CHANGES TO THIS POLICY
If we make any material change to this Policy, we will post the revised Policy to this web page and update the “Effective” date above to reflect the date on which the new Policy became effective.
Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Patient Advertising Guru Inc.’s internal processes, Patient Advertising Guru Inc. has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure https://allaboutdnt.com. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information here .
PAG is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
European Commission’s Standard Contractual Clauses
PAG has implemented measures to protect your personal information, including by using the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies and between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from the EEA in accordance with European data protection laws and regulations. Our Data Processing Agreements that include Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
PAG complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU), the United Kingdom (UK) and Switzerland to the United States. Although Privacy Shield is no longer considered a valid transfer mechanism for the purposes of EU and Swiss data protection law, in light of the judgment of the Court of Justice of the European Union in Case C-311/18 and opinion of the Federal Data Protection and Information Commissioner of Switzerland dated 8 September 2020, PAG will continue to comply with the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.
PAG adheres to and complies with the Privacy Shield Principles when processing personal information from the EU, UK or Switzerland. If we have received your personal information in the United States and subsequently transfer that information to a third party acting as our agent, and such third party agent processes your personal information in a manner inconsistent with the Privacy Shield Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.
With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, PAG is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have any questions or concerns relating to PAG’s Privacy Shield certification, please write to us at the contact details below. We commit to resolving any complaints or disputes about our collection and use of your personal information under the Privacy Shield. However, if you have an unresolved complaint in connection with our certification, we commit to cooperating with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner and the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by them in respect of the complaint. Click here for a list of EU DPAs.
In limited situations, EU, UK and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. Please be sure to review the following sections of this Privacy Notice for additional details relevant to PAG participation in the EU-U.S. and Swiss-U.S. Privacy Shield:
We collect names; phone numbers; email addresses; mailing addresses; contact preferences; health information; and other similar information. We collect the names, contact details, and professional information of clinical trial investigators, study researchers, and other HCPs for the purpose of identifying and assessing suitability to assist in clinical trials and research studies and to provide services. We collect your Personal Data when you provide it to us directly, for example such as when you express or register an interest to participate in, or learn more about a study through our Websites, and also, either directly or indirectly, from publicly available sources, such as websites, directories and industry networks, etc. We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.
In some regions, such as the European Economic Area, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.
In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
If you are a resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here.
If you are a resident in Switzerland, the contact details for the data protection authorities are available here.
EU Rights Under the General Data Protection Regulation
PAG performs as a data “processor” that processes personal data on behalf of clinical trial sponsors. Pursuant to the General Data Protection Regulation (GDPR), if you are interested in participating in a study that appears on our clinical research study website, we request that you opt-in to consent to our collection and processing of your personal data for purposes of recruitment for the relevant research study.
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
You also have the right to complain to a supervisory authority in the EU Member State in which you are located if you feel there is a problem with the way we are handling your data. You may find a list of supervisory authorities here.
If you have any questions about this Policy or our processing of your Personal Data, please write to firstname.lastname@example.org or by postal mail at:
Patient Advertising Guru, Inc.
Data Privacy Officer
95 Broadhollow Road
Melville, New York 11747 USA
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Patient Advertising Guru has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
-by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
-by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
UK General Data Protection Regulation (GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Patient Advertising Guru has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
– by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
– by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom