GDPR or General Data Protection Regulation
Regulation (EU) nr. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Any information relating to an identified or identifiable natural person.
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The identified or identifiable natural person to whom the Personal Data relates.
Every natural person or legal person besides Syntactx (including its employees) and the Data Subject.
If you are a Data Subject belonging to a (potential) Syntactx customer, prospect or lead, vendor or consultant, Syntactx may collect your Personal Data concerning your identity (e.g. name, address, e-mail address and telephone). We may combine other publicly available information, such as information related to the organization for which you work, with the Personal Data that you provide to us through our Sites or any other means of communication.
If you are a consultant, then we may also collect your CV information, information on medical licenses, financial disclosures and your bank account information.
Syntactx uses the Personal Data we collect from you for the following purposes:
· To contact you about your registration for or your use of the Site or of our Services
· To contact you in response to your inquiries, comments and suggestions
· To contact you otherwise when necessary
· For the specific purpose for which it was volunteered
· To ask for your participation in brief surveys
· To complete any purchases or other transactions you may perform
· To notify you about updates, promotions, special offers, etc., regarding products and services provided by us or our affiliates or partners
· To generate aggregate statistical studies
· To compensate you for services you provide to Syntactx
· For Syntactx’s financial management
· For an acquisition, merger, or sale
· For our other business purposes, as further described to you when we collect the information or when we contact you
· To comply with regulatory obligations
Syntactx is allowed to process your Personal Data for one or more of these purposes because it is necessary for entering into a contract with Syntactx of for the performance of a contract you have entered into with Syntactx (article 6, sec. 1(b) GDPR) or because it is necessary for the legitimate business interests of Syntactx (article 6, sec. 1(f) GDPR) or because Syntactx is legally obligated to (article 6, sec. 1(c) GDPR) or because Syntactx obtained your consent thereto (article 6, sec. 1(a) GDPR).
Syntactx may also share your Personal Data collected through our Sites with Third Parties. We refer to subsection “Data Exchange with Third Parties” for more information on this.
We may also use log files, cookies and similar technologies. Cookies are pieces of information that some websites transfer to the computer that is browsing that website and are used for recordkeeping purposes at many websites. Our Website uses log files, cookies and similar technologies for the following purposes:
· To collect information about the pages you view, links you click on and other actions you may take when accessing our Sites in order analyze our Website usage (analytical cookies)
· To collect an IP address from visitors to our Sites in order to help diagnose problems with our server(s), to administer our Websites and to monitor activities on and interactions with our Websites, user preferences and other computer and connection information relating to your use of our Sites.
Your browser is probably set to accept cookies. By visiting our Websites and continuing to browse our Websites, you consent to the collection, processing, and storage of log files, cookies and similar technologies for the purposes described above.
Data Controller – Syntactx, LLC, with a registered office located at 4 World Trade Center, 150 Greenwich Street, 44th Floor, New York, NY 10007 (United States), and Syntactx Europe BVBA, with a registered office at Eenestraat 2 bus 21, 9472 Denderleeuw (Belgium) will act as data controllers for the processing of your Personal Data for the purposes described above.
Security – We are committed to ensuring that your information is secure. Syntactx takes reasonable precautions through physical, technical and administrative procedures to safeguard and secure personal information in its possession from loss, misuse, unauthorized access or disclosure, alteration and destruction of the Personal Data under our control, taking into due account the risks involved in the processing and the nature of the Personal Information Syntactx is processing.
Syntactx’ personnel who receives your Personal Data, is legally bound to keep your Personal Data confidential, notwithstanding any data exchange as mentioned under subsection “Data Exchange with Third Parties”.
Syntactx will only use Personal Data in a way that is consistent with and relevant to the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Syntactx will take reasonable steps to ensure that Personal Data is accurate, complete, current and reliable for its intended use and for the duration it is held by Syntactx.
Disclaimer – Although we have implemented security measures, it is not possible to entirely guarantee the security or integrity of information you disclose online since a sufficiently powerful attack from an unauthorized third party could compromise your data.
Personal Data that you send to us can moreover only be processed safely when this data has passed our protection filter and insofar as they are under our control. We cannot take any responsibility for the safety of this Personal Data prior to receiving this data and/or after transferring this data to another controller.
The person who sends us the Personal Data is always responsible for the accuracy of the transferred information.
Syntactx does not transfer your Personal Data to Third parties, except in the circumstances mentioned below.
Syntactx Affiliates and Service Providers - Syntactx may transfer your Personal Data to Syntactx affiliates and Third Party service providers, such as IT service providers, accountants and auditors, for business support. These Third Parties may access, process or store Personal Data necessary for the provision of their services to Syntactx. The purposes and legal grounds on the basis of which this Personal Data is processed by these Third Parties are the same as those on the basis of which Syntactx collects and processes this Personal Data. Syntactx has entered into agreements with its service providers to ensure that they only process your Personal Data in accordance with Syntactx’s instructions and in accordance with the GDPR, including the taking of adequate safety measures.
Consent - Syntactx may also share, sell, rent or trade your Personal Data collected through our Sites with Third Parties for their sole promotional purposes with your explicit consent after being informed hereof (article 6, sec. 1(a) GDPR).
Legal Claims and Proceedings - Syntactx may transfer your Personal Data to Third Parties who assist Syntactx in the context of legal actions (e.g. liability disputes or unpaid invoices), such as liability insurers, bailiffs and lawyers. The GDPR allows Syntactx to share your Personal Data as such insofar as this is necessary for such purposes (article 6, sec. 1(f) GDPR).
As Required or Allowed by Law or Regulation - Syntactx may also transfer your Personal Data to Third Parties, including government authorities or private institutions, insofar this is required or allowed by law or regulation (article 6, sec. 1(c) GDPR). Syntactx will notify you of any such transfers unless prohibited by law.
Syntactx will process your Personal Data partly in the United States, inter alia by using Syntactx servers in the United States or by making use of Third Party service providers in the United States. In doing so, Syntactx will ensure an adequate level of data protection by having Syntactx, LLC and any other such Third Party situated in the US complied with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Data transferred from the European Economic Area and Switzerland to the United States. Syntactx LLC and any other such Third Party situated in the US has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. You can always contact us if you wish to receive a copy of Syntactx, LLC’s or any such Third Party’s Notice of Certification (see subsection “Inquiries and Complaints”).
Syntactx does not act as data controller for the Personal Data processed as part of Syntactx’s platform, applications and services for our customers. Personal Data processed for our customers includes Personal Data from or about their authorized users (e.g. name, user access type, work e-mail, signature for creating accounts and access to Syntactx services), employees, clinical trial subjects (including health data) and investigational site staff (together, “Customer Data”).
The customer is the data controller for Customer Data. Our customers are therefore responsible as data controllers for complying with regulations or laws, including the GDPR, regarding notice, disclosure and/or obtaining consent prior to transferring the Customer Data to Syntactx for processing purposes.
Syntactx only processes this Customer Data as instructed by our customers and has no direct control or ownership of the Customer Data it processes. Customer instructions may include processing or using Customer Data for purposes of providing or developing the Syntactx service platform, applications and services, preventing or addressing technical problems, responding to support issues, responding to our customer’s instruction or as may be required by law. Syntactx will not share or distribute Customer Data except as provided in the Agreements between Syntactx and our Customers. These Agreements may provide Syntactx with the rights to process or use Customer Data for Syntactx’s business purposes including providing or developing the Syntactx service platform, preventing or addressing service issues, support or technical problems, responding to our Customer’s instructions or as may be required by law. We will refer any request for disclosure of Customer Data by a law enforcement authority to our customer unless prohibited by law and we will make such disclosures where we conclude that we are legally obliged to do so.
It is important to know that you (or your legal representative) can exercise different rights on the basis of the GDPR with regard to your Personal Data processed by Syntactx. The following explains what these rights include and how you can exercise these rights.
Right to Access - You always have the right to access the Personal Data that is processed by Syntactx, free of charge, unless this access is excluded by law and except where the rights of persons other than the individual would be violated. Along with your right to access, you also have the right to receive certain information about this processing. More specifically, you are entitled to the following information:
· The categories of the Personal Data concerned
· The purposes of the processing of this Personal Data
· The categories of Personal Data and their retention period
· The categories of recipients to whom this Personal Data is provided
· Your rights with regard to this Personal Data
· The source of this Personal Data, if this Personal Data was not collected from you.
Right to Copy - You also have the right to receive a copy of your Personal Data free of charge. If, however, you require multiple copies of the same information, we do have the right to charge a fee for administrative costs.
Right to Rectification - You also have the right to have any incorrect or incompletely processed Personal Data (e.g. your contact details) corrected or supplemented free of charge.
You may also request that your Personal Data is temporarily not processed (except in a number of legally defined cases) until the correctness or completeness of your Personal Data has been checked and any inaccuracies/omissions have been corrected (except in a number of legally defined cases). See also subsection "Right to Restriction of Processing" on this.
Right to Data Portability - With regard to Personal Data processed in an automated manner (e.g. via computer), you also have the right to request that Syntactx transmits a copy of your Personal Data in a machine-readable format (e.g. XML) to you and/or directly to another institution or person of your choosing.
This right, however, only applies to Personal Data that you have provided yourself and only if the processing by Syntactx is based on your consent or on the need to enter into an agreement with Syntactx or to execute an agreement you entered into with Syntactx. This right, for example, does not apply to Personal Data that is solely processed by Syntactx on the basis of its own legitimate interests.
Right to Withdraw Your Consent - When we process your Personal Data on the basis of your consent, you always have the right to withdraw this consent. We will then no longer process your Personal Data. This does not, however, affect the lawfulness of the processing before the withdrawal of your consent.
If you withdraw your consent, you can request at the same time that your Personal Data be deleted. See subsection "Right to Erasure" on this.
Right to Object to the Processing - Even if your Personal Data is processed without your consent, you may oppose in certain cases the processing of your Personal Data by Syntactx. This is the case when your Personal Data is processed on the basis of the legitimate interest of Syntactx within the meaning of article 6, sec. 1 (f) GDPR (e.g. Personal Data on promotions and special offers).
If the processing is, however, not intended for direct marketing, Syntactx could still continue to process your Personal Data, regardless of your objection, when this processing is necessary for compelling legitimate grounds. While awaiting the assessment of these reasons, you may request us to temporarily refrain from processing the Personal Data concerned (except in a number of legal cases). See subsection "Right to Restriction of Processing" on this.
Right to Erasure - If you believe that your Personal Data may no longer be processed by Syntactx (e.g. because these data are no longer necessary or are processed unlawfully), you can request that your Personal Data be permanently deleted from Syntactx’s databases.
Instead of removal, you can also request that your Personal Data be stored but not processed any longer (except in certain legally defined cases). See subsection "Right to Restriction of Processing" on this.
Right to Restriction of Processing - In certain cases you have the right to request that your Personal Data is stored by Syntactx but is no longer processed. Apart from the cases mentioned above in the context of the right to rectification, to object to the processing and to erasure, you also have this right when Syntactx no longer needs your Personal Data, but you still need it yourself in the context of legal proceedings.
In some legally defined cases, however, the right to restricted processing does not apply and Syntactx may still process your Personal Data. Such cases include:
· If you have given your consent for the processing
· If Syntactx needs your Personal Data in the context of a legal claim or legal proceedings
· If your Personal Data must be processed to protect the rights of another natural or legal person
Verification - If your request is unclear or if there is any doubt about your identity, Syntactx can request the necessary additional information from you. If you refuse to provide the necessary information, Syntactx can refuse your request.
Response Time - After submitting your request we will inform you as soon as possible and at the latest within one month after submission of the request. In case of complex situations or frequent requests, this period can be extended to three months after submission of the request. In that case, we will inform you of this.
Free of charge - This request procedure is provided to you (as the Data Subject) completely free of charge. However, if your request is manifestly unfounded or if you make excessive use of your rights, in particular by submitting similar requests repetitively, then Syntactx has the right to refuse these requests or to charge a reasonable fee for the administrative cost.
Inquiries - For all questions regarding the processing of your Personal Data by Syntactx, you can always contactor call +1 (212) 228-9000.
However, if you have any complaints, we kindly request you to present them to us first via firstname.lastname@example.org or call +1 (212) 228-9000 so that we can find a suitable solution to your problem. In compliance with the Privacy Shield Principles, Syntactx commits to resolve complaints about our collection or use of your Personal Data.
If you work for a customer (e.g. a study sponsor) of Syntactx or if a customer of Syntactx collected your Personal Data using our platform or applications, then please direct any questions or complaints, inter alia requests regarding your rights as a data subject to the customer (the data controller). The customer is responsible as data controller for complying with regulations or laws, including the GDPR. See also subsection “Processing by Syntactx for Customers (Customer Data)”.
If our customer requests us to rectify, restrict or erase the Customer Data to comply with data protection regulations, we will respond to their request without undue delay and at least within 30 business days. In some situations you may, however, be able to perform certain operations yourself through our applications.
Your Personal Data will be stored for as long as legally required or for as long as is necessary for the purpose for which it was processed by us (e.g. for the performance of a contract). For more information about the storage period of your Personal Data, you can always contactor call +1 (212) 228-9000.
Last updated: 13 July 2018