Last revision on 14 July 2022
PSI CRO AG, the parent company and the PSI entity that employs you (PSI, we: https://www.psi-cro.com/global-reach), will need to collect and use information about your professional qualifications and other personal data to manage the employment relationship between the employee and PSI, the employer.
For some purposes, PSI CRO AG and the PSI entity that hired you will act as joint data controllers with regards to the use of your personal data, which means that they share the responsibility for the appropriate use of your personal data. For some other purposes, PSI CRO AG and the PSI entity that hired you may act as independent data controllers which means that they are independently responsible for the use of your personal data. In the latter case PSI CRO AG and the PSI entity that hired you can be a data processor for the other entity. The data controller shall define the purpose of processing, and the processor will assist the controller to process your data.
This Data Protection Notice is an overview of how we process your personal data, namely how we collect, use, storage, and disclose them.
WHICH PERSONAL DATA DO WE PROCESS?
Personal data that we may need to process about you may relate to the following categories:
Contact: name, e-mail address, phone number, position, department, business location
Job, position: job title, job function, department, region, supervisor
Passport and business travel: date of birth, gender, birth country, birth city, national ID type, national ID, citizenship status, citizenship country, nationality, travel details, national and international passport, visa applications, visa details
Appraisal: performance rating history, appraisal records, line manager and peer assessment
Payroll: bank account number, monthly salary amount, tax deductions
Expense and compensation: company credit card expenditures, company paid expenses, benefits, housing allowances, travel allowances, staff travel details, car or commuting allowances, expenses refund and advances
Training: processional improvement courses, exam certifications, training records
User data: data required to provide you with access to company computer systems and networks, e.g. IP address, user password, user login name IDs assigned in the system
These are a few examples of the data that we process. You can request the complete list of processed data from PSI Data Protection Officer (DPO).
WHAT ARE THE PURPOSES AND LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?
PSI will use your personal data for the management, development, maintenance, and control of the employment relationship between you as the employee and PSI. Examples of such processing purposes are managing payroll, ensuring health and safety in the workplace, performing tax accountability, supporting professional career of the employee via conducting appraisals, trainings, promotions, incentives. The legal basis for such use of your personal data is PSI’s obligation to fulfill its contractual obligations.
PSI may be required to collect data about your working hours, providing you with applicable types of mandatory insurances, etc. When using your personal data for these purposes, PSI will do so to comply with the legal obligation.
PSI needs to perform the activities listed below, and has the legitimate interest to use your relevant personal data to carry out these activities:
- Assigning you a role and tasks in a project/study conducted by PSI for a clinical trial sponsor and managing your engagement into this and other projects/studies in accordance with the study contract.
Please note that as soon as your data become part of a study file, study sponsor becomes the data controller for your data for the study-related purposes. In any case, you are welcome to address any enquiries with this regard to PSI DPO.
- Arranging your business-related travelling, enrolling you into corporate and project-related trainings.
- Identifying you in the corporate computer network and systems, creating user accounts to enable your access the corporate resources that you need for work.
- Monitoring access to the office premises via electronic access system and installing video cameras to safeguard you and the company’s assets.
- Monitoring activity of the users accessing the corporate resources, including e-mail and internet, to ensure appropriate computer security.
- Carrying out internal evaluations to build systems to improve our internal business processes.
PSI may be offering you to join a program of social benefits or may need to share photographs picturing you and taken at a team building or other work-related event via PSI public media accounts. For such specific data uses, we will reach out for your consent, in which case your consent will be the legal basis for the processing of your personal data by PSI.
You can request the complete list of activities and respective legal basis for data processing from PSI DPO.
WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
PSI personnel: As PSI is a global company with worldwide presence, we need to share information, including personal information of our employees, within PSI, to manage our business operations and comply with the applicable laws. This means that all PSI staff will have access to your PRIMA profile, as well as other personal data as needed to enable them to carry out their job responsibilities.
Third party service providers: When we need to process your information to fulfill our employer responsibilities, for instance managing payroll, ensuring health and safety in the workplace, and managing your request for the use of social benefits or advantages; we may need to share some of your personal data with the companies that PSI engages to assist with the provision of such services.
Sponsors, study vendors: When your job responsibilities require you to work as a member of a project team for different clinical studies, PSI will share your contact data, information about your professional qualifications and other relevant personal data with the study sponsors and vendors involved in the study.
Authorities: When we collect information for some of the purposes, we may do so in response to a statutory requirement. In such cases, to comply with the law, we will have to share your data with the authorities. In addition, regulatory authorities will have access to your personal information when these data make part of the study file. There may be other cases when disclosure of your data will be required. We will follow the applicable laws in this regard.
When the parties with whom we need to share your data are located abroad, information about you will need to be sent or/and accessed from abroad, including to/from countries where the personal data protection laws may be less strict as compared to the countries of the European Economic Area, Switzerland, and the UK. When PSI shares your data with such entities, we ensure that these external recipients, regardless of their location, commit to protect your personal information. We implement technical and organizational measures to safeguard your data. Such efforts include technical and organizational measures, as well as certain contractual protections to safeguard your personal data. You can ask PSI to tell you more about these safeguards, including a review of any applicable protective measures.
FOR HOW LONG DO WE RETAIN YOUR DATA?
PSI will retain your personal data for as long as you are PSI’s employee. After the termination of employment relationship, we may keep your data during the legally established deadlines and to comply with the legal obligations to which PSI is subject.
When you are engaged in a study as a project team member, some of your personal data contained in your CV(s), study-related communication, etc., shall be retained as part of the study file in accordance with the laws applicable to clinical trials.
HOW TO EXERCISE YOUR RIGHTS REGARDING YOUR PERSONAL DATA
You have the right to request access to, rectification or erasure of your personal data, restriction of processing, as well as object to processing in some cases. You can request a digital copy of the personal data that you provided to PSI. You can also withdraw your consent to processing for some purposes, if you initially consented to have your data processed, however please note that in such case the use of your data before you changed your mind, remains lawful.
You may obtain more information about how we use your personal data, including the complete list of purposes for which your data are processed, categories of personal data processed by PSI entity that employed you, etc., as well as file any other enquiry. For this, please contact PSI Data Protection Officer at privacy@psi‑cro.com
If you are based in the EU, you have the right to lodge a complaint to the supervisory authority. You will find your national data protection authorities and their contact details following this link: https://edpb.europa.eu/about-edpb/about-edpb/members_en
If the national data protection authority is not on the list, please reach out to PSI Data Protection Officer to ask about this right in your country.
HOW WILL YOU KNOW THAT PSI REVISED THIS NOTICE?
PSI reserves the right to modify this Notice as needed to reflect changes in laws, PSI practices and procedures, or requirements imposed by data protection authorities. If changes occur, PSI will notify you of the changes to this Notice that can have an impact on your obligations and rights.