PSI Data Protection Notice: Contractor

Last revision on 19 August 2022

PSI CRO AG, the parent company, and the entity that engages you (PSI, we: https://www.psi-cro.com/global-reach), will need to collect and use information about your professional qualifications and other personal data to ensure that your engagement with us is administered in compliance with the laws and PSI’s legitimate business interests.

For some purposes, PSI CRO AG and the PSI entity that engaged you act as joint data controllers with regards to the use of your personal data, which means that they share the responsibility for appropriate use of your personal data. For some other purposes, PSI CRO AG and the PSI entity that engaged you may act as independent data controllers, which means that they are independently responsible for the use of your personal data. In the latter case PSI CRO AG and the PSI entity can be a data processor for the other entity. The data controller shall define the purpose of processing, and the processor will assist the controller to process your data.

The objective of this Notice is to provide you with an overview of how we process your personal data, namely how we collect, use, storage, and disclose them.

WHICH PERSONAL DATA DO WE PROCESS?

Personal data that we may need to process about you may relate to the following categories:

Contact: name, e-mail address, phone number, position, department, business location, etc.
Qualification: education, work experience, language skills, CV, former employment, certificates, licenses, professional membership, awards, publications, professional opinions, advice, consultation, etc.
Passport and business travel: date of birth, gender, birth country, birth city, national ID type, national ID, citizenship status, citizenship country, nationality, travel details, national and international passport, visa applications, visa details, etc.
User data: data required to provide you with access to company computer systems and networks, e.g., IP address, user password, user login name IDs assigned in the system, etc.

These are a few examples of the data that we process. You can request the complete list of processed data from PSI Data Protection Officer (DPO).

WHAT ARE THE PURPOSES AND LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?

PSI will process your personal data to ensure that we meet our respective contractual obligations in accordance with the service agreement that you entered into with us. The legal basis for this processing is the execution and fulfilment of this service contract.

In some specific cases, we can reach out for your consent to data processing. For instance, when we or would like to share photographs picturing you and taken at a business or a team building or other related event via PSI public media accounts.

PSI has the legitimate interest to use your personal data for a number of purposes. Some examples of such processing purposes are provided below.

  • Assigning you a role and tasks in a project/study conducted by PSI for a clinical trial sponsor and managing your engagement into this and other projects/studies in accordance with the study contract.Please note that as soon as your data become part of a study file, study sponsor becomes the data controller for your data for the study-related purposes. In any case, you are welcome to address any enquiries with this regard to PSI DPO.
  • We will need to use your data to arrange project-related and corporate trainings as appropriate for the services that you deliver to PSI.
  • In order to ensure appropriate security, PSI may need to monitor the activity of the users on the corporate network and other corporate resources, including e-mail and access to the internet.
  • We are constantly working to improve our internal business processes, for which we might need to have an overview of information about our service providers.

PSI may need to share photographs picturing you and taken at a team building or other work-related event via PSI public media accounts. For such specific data uses, we will reach out for your consent, in which case your consent will be the legal basis for the processing of your personal data by PSI.

You can request the complete list of activities and respective legal basis for data processing from PSI DPO.

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA

PSI personnel: As PSI is a global company with worldwide presence, we need to share information, including personal information of our contractors, within PSI, to manage our business operations and comply with the applicable laws. This means that all PSI staff will have access to your PRIMA profile, as well as other personal data as needed to enable them to carry out their job responsibilities.

Third party service providers: When we need to use your personal information to fulfill our contractual responsibilities towards you, like administering the payment for your services, we may need to engage an external company to help PSI carry out its obligations. In this case, PSI will need to share your personal information with such third-party providers. When PSI works to improve internal processes, e.g., to automate manual operations, PSI may need to engage professional service providers and enable access to your personal data for the delivery of their assistance.

Sponsors, study vendors: When your services require you to work as a member of a project team for different clinical studies, PSI will share your contact data, information about your professional qualifications and other relevant personal data with the study sponsors and vendors involved in the study.

Authorities: When we collect information for some of the purposes, we may do so in response to a statutory requirement. In such cases, to comply with the law, we will have to share your data with the authorities. In addition, regulatory authorities will have access to your personal information when these data make part of the study file. There may be other cases when disclosure of your data will be required. We will follow the applicable laws in this regard.

When the parties with whom we need to share your data are located abroad, information about you will need to be sent or/and accessed from abroad, including to/from countries where the personal data protection laws may be less strict as compared to the countries of the European Economic Area, Switzerland, and the UK. When PSI shares your data with such entities, we ensure that these external recipients, regardless of their location, commit to protect your personal information. We implement technical and organizational measures to safeguard your data. Such efforts include technical and organizational measures, as well as certain contractual protections to safeguard your personal data. You can ask PSI to tell you more about these safeguards, including a review of any applicable protective measures.

FOR HOW LONG DO WE RETAIN YOUR DATA?

PSI will retain your personal data for as long as the services agreement is in force. After the termination of the agreement, we may keep your data during the legally established timeframes and to comply with the legal obligations to which PSI is subject.

When you are engaged in a study as a project team member, some of your personal data contained in your CV(s), study-related communication, etc., shall be retained as part of the study file in accordance with the laws applicable to clinical trials.

HOW TO EXERCISE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

You have the right to request access to, rectification or erasure of your personal data, restriction of processing, as well as object to processing in some cases. You can also request a digital copy of the personal data that you provided to PSI. You can also withdraw your consent to processing for some purposes, if you initially consented to have your data processed, however please note that in such case the use of your data before you changed your mind, remains lawful.

Please note that more documents that define the processing of your personal data by PSI may be available. You may obtain more information on the terms of your data processing, including the complete list of purposes for which your data are processed, categories of personal data processed by your PSI counterparty, etc., as well as file any other enquiry. For this, please contact PSI DPO at privacy@psi‑cro.com

If you are based in the EU, you have the right to lodge a complaint to the supervisory authority. You will find your national data protection authorities and their contact details following this link: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If the national data protection authority is not on the list, please reach out to PSI Data Protection Officer to ask about this right in your country.

HOW WILL YOU KNOW THAT PSI REVISED THIS NOTICE?

PSI reserves the right to modify this Notice as needed to reflect changes in laws, PSI practices and procedures, or requirements imposed by data protection authorities. If changes occur, PSI will notify you of the changes to this Notice that can have an impact on your obligations and rights.