Canfield Scientific, Inc. (Canfield) is committed to protecting the privacy of individuals whom we conduct business with all over the globe. In order to conduct business globally in an increasingly electronic economy, it is often necessary to collect Personal Information (PI) about our partners and customers.
Data Privacy Framework (DPF) – principles detailing the mechanisms for secure personal data transfers to the United States from the European Union (EU), United Kingdom (UK), and Switzerland, in accordance with EU, UK, and Swiss privacy laws (https://www.dataprivacyframework.gov/s/).
Health Insurance and Portability and Accountability Act (HIPAA) – enacted on 21Aug1996; federally mandated requirements for the creation, transmission, receipt, collection, storage, use, and disclosure of individually identifiable health information. HIPAA is applicable to anyone encountering patient information [including Contract Research Organizations (CROs)] and applies to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) in order to reduce health care fraud and abuse.
Health Information Technology for Economic and Clinical Health Act (HITECH) – enacted on 18Feb2009; regulation which expanded HIPAA regulation to cover ePHI and specify requirements for notifying patients in the event of unauthorized disclosure or breach of security.
General Data Protection Regulation (GDPR) – enacted on 25May2018; regulation replacing Directive 95/46/EC which imposes obligations on organizations responsible for the handling and/or collection of data related to individuals within the European Union (EU).
United Kingdom (UK) Privacy Act – enacted on 25May2018; extension of the General Data Protection Regulation (GDPR) which controls the use of data of individuals located within the United Kingdom (UK) and enforces strict data protection principles; applicable to organizations, businesses, and government.
California Consumer Privacy Act (CCPA) – enacted on 01Jan2020; the California Privacy Rights Act will fully replace the CCPA in 2023; serves to expand existing privacy laws to grant consumers greater control over their personal data through the provisioning of consumer rights; includes the Right to Know, Right to Delete, Right to Opt-Out of Sale, and Right to Non-Discrimination.
- Data Controller – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; the role of Sponsors working with Canfield.
- Data Privacy Framework (DPF) – principles detailing the mechanisms for secure personal data transfers to the United States from the European Union (EU), United Kingdom (UK), and Switzerland, in accordance with EU, UK, and Swiss privacy laws (https://www.dataprivacyframework.gov/s/)
- Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller; Canfield primarily serves as a Data Processor.
- Data Processing – – any operation(s) performed on personal data (or personal data sets), whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Protection Officer (DPO) – individual responsible for matters relating to privacy and data protection within an organization.
- EEA – European Economic Area
- FTC – Federal Trade Commission
- Personal Data / Personal Information (PI) – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Protected Health Information (PHI) – any individually identifiable health information which can include the following:
- Individual's past, present, and future physical and mental health conditions
- Provision of health care to individual
- Past, present, or future payment for provision of health care to individual
COLLECTION OF YOUR PERSONAL INFORMATION (PI)
Use of Canfield Websites
When providing services to customers, Canfield may request Personal Information (PI). Personal Data that may be requested includes the customer’s name, email address, company name, and/or telephone number. The customer’s provision of this information is strictly voluntary as Canfield uses this information to customize the user’s experience on our website, to provide alerts for products and services that can assist our client’s business, promote site registration, and facilitate order processing. Additional PI may be collected if the services provided by Canfield require collection and use of such information.
Please Note: If the information collected contains the customer’s Protected Health Information (PHI), Canfield will handle this information in compliance with HIPAA and HITECH Regulations (including those that protect the rights of minors) as they pertain to the services being provided.
COLLECTION OF DOMAIN INFORMATION
Canfield collects domain information as part of its analysis of the use of its websites. This data enables us to become more familiar with which customers visit our site, how often they visit, and what parts of the site they visit most often. Canfield uses this information to improve its web-based offerings. This information is collected automatically and requires no action on the customer’s part.
Canfield also uses web cookies. The type of information we collect includes the pages visited, files downloaded, type of browser used, etc. This information helps us to learn what pages are most attractive to our visitors, which of our products most interests our customers, and what kinds of offers our customers like to see.
Cookies cannot read data from hard drives. Web browsers may allow notification when a cookie is received, giving web users the choice to accept it or not. By not accepting cookies, some pages may not fully function and users may not be able to access certain information on this site.
USE OF YOUR PERSONAL INFORMATION (PI)
Canfield’s website may be visited without divulging any Personal Information (PI). However, there are areas of the site that require Personal Information (PI) to complete their customization functions; functions that may not be available to those choosing not to provide the information requested.
PROTECTING OUR CUSTOMERS
Protecting and securing Personal Information (PI) is Canfield's top priority.
Canfield has put the appropriate administrative, technical, and physical safeguards in place to protect individuals’ personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction.
We prevent unauthorized access by a secure firewall and through the use of a security infrastructure to protect the integrity and privacy of subject information. We also keep subject Personal Information (PI) secure by encrypting any transfers of PI.
At Canfield, only authorized personnel will have access to Personal Information (PI) when it pertains to their job responsibilities.
Canfield seeks to use reasonable organizational, technical, and administrative measures to protect Personal Information (PI), but subjects should be aware that any electronic means of communication may carry some level of risk and that no data transmission or storage system can be guaranteed as 100% secure.
DISCLOSURE TO THIRD PARTIES
In cases where Canfield believes business interests will be served, Canfield may share information (excluding account, credit card, and ordering information) with Canfield distributors who can alert customers to new products and services to improve competitive edge. If customers receive unwanted marketing materials from any of our distributors, they can request to be removed from their contact lists.
Personal Information (PI) may be disclosed by Canfield to judicial or other government agencies subject to warrants, subpoenas, or other governmental orders in accordance with applicable law.
TRANSFER OF PERSONAL DATA
As part of the Canfield’s responsibility for clinical trials, Canfield often receives Personal Information (PI) collected about subjects by the Investigative sites located all over the globe, including the EEA, Switzerland, and UK.
Any PI collected from participants in clinical trials that Canfield is involved in will be collected according to the contract of services and participant’s written consent, and under instructions from the trial sponsor. Canfield will not use any of subject PI for any other purposes without obtaining a subject’s authorization first. Any questions about the data collected by Canfield as part of a clinical trial by data subjects should be directed to the trial sponsor.
Data transfers to the countries outside the EU are deemed not to have an “adequate level of data protection.” To bridge this gap for U.S.-based companies, there is a mechanism for providing such adequate data protection known as the EU-U.S., and UK extension and Swiss-U.S. Data Privacy Framework, which is a program run by the U.S. Department of Commerce.
The Data Privacy Framework (DPF) is a self-regulatory mechanism under which U.S.-based companies can voluntarily agree to abide by a set of principles negotiated between the United States government and the European Commission. Transfers made to a DPF-certified company in the United States are deemed as having an adequate level of data protection.
For more information about the DPF please visit, Program Overview (www.dataprivacyframework.gov)
Canfield complies with the principles of the EU-U.S. DPF and the UK extension and the Swiss – U.S. DPF.
Privacy Trust will handle any disputes free of charge to the person raising them. Canfield will respond to all complaints within forty-five (45) days. Finally, as a last resort and in limited situations, EU, UK and Swiss individuals may seek redress from the DPF Panel a binding arbitration mechanism.
Advisory: In addition to the DPF, Canfield may continue to rely on alternative data transfer mechanisms deemed appropriate by the relevant authorities to transfer data collected from the EEA, Switzerland, and the UK to the U.S., such as Standard Contractual Clauses (SCCs).
CANFIELD AS A DATA PROCESSOR
When participating in clinical trials and offering services to its clients Canfield acts as a Data Processor as defined in the General Data Protection Regulation (GDPR). This means that Canfield does not make independent decisions regarding personal data received from EEA, Switzerland, and/or the UK nor owns or controls such personal data, and as such only processes it under instructions from the Data Controllers.
Canfield processes personal data for clinical trials (such as photographs, dates when photographs were taken, data subject coded identifiers which may include some of the following: initials, year of birth, etc.). Where possible, Canfield only receives pseudonymized data from EU, Switzerland, and the UK. Pseudonymization is a type of processing of personal data in a way that the data can no longer be attributed to a specific subject without the use of additional information.
CANFIELD IMAGING SYSTEMS
Canfield processes personal data (such as name, address, email addresses, IP address of computer, login time and day, pages viewed in electronic form from its customers in the EEA, Switzerland, and the UK (e.g., institutions, physicians, aesthetic, and retail establishments, etc.)).
CANFIELD AS A DATA CONTROLLER
Canfield Imaging Systems (CIS):
When providing services to its clients Canfield may act as a Data Controller. If Canfield has a need to use subject's personal data, the subject’s consent will be obtained first with the explicit description of uses of subject’s data.
DATA PROTECTION OFFICER (DPO)
Canfield has appointed a Data Protection Officer (DPO), who is responsible for matters relating to privacy and data protection at Canfield. If subjects have any questions about collection or storage of their personal data, the Canfield DPO may be contacted using the information provided below.
Canfield Scientific, Inc.
4 Wood Hollow Road
Parsippany, NJ 07054
Canfield’s DPO – Tanya Demerjian
To comply with Article 27 of the GDPR, Canfield has also appointed an EU Representative in the Netherlands. Subjects can reach Canfield EU Representative at:
Canfield Scientific Europe, BV
Proostwetering 28A, 3543 AE
+31 (30) 241-2131
Canfield's EU Representative – Peter Kollias
Canfield recognizes its adherence to the Privacy Principles (Principles) as follows, but not limited to:
NOTICE / TRANSPARENCY / ACCESS / RECTIFICATION
Every data subject has the right to know about the purpose(s) for which their personal data is being collected, what personal data about them is collected, whom they can contact to inquire about their data, and how to file a complaint if necessary.
As Canfield does not directly communicate with data subjects (clinical research participants) due to the nature of the agreements with the Data Controllers, Canfield assures that Data Controllers provide the data subjects with their right of notice.
Data Controllers are responsible for providing data subjects with their rights to know what data about them is being collected, for what purposes, and to whom outside of the EEA, Switzerland, and the UK it has been or will be transferred to.
It is the responsibility of the Data Controllers to obtain permission from the data subjects to transfer their personal data outside of the EEA, Switzerland, and the UK.
Personal data may be disclosed by Canfield to judicial or other government agencies subject to warrants, subpoenas, or other governmental orders in accordance with applicable law.
Data subjects must be given access to the personal data that Canfield holds about them. They should also be able to correct, amend, or delete this information where it is inaccurate.
Due to processing of clinical research data, there may be limitations for data subjects to access their data during the course of a clinical trial. This is because clinical research and its results must be protected from jeopardization. After the clinical trial has concluded, data subjects may request to exercise their right to access their data with the Data Controllers. If Canfield receives a request from the data subjects, such request will be forwarded to the applicable Data Controller.
CHOICE AND ONWARD TRANSFER
Canfield acknowledges that data subjects must be provided with the option to choose whether or not their personal data can be disclosed to third parties and used for purposes other than those for which it was collected.
It is the responsibility of the Data Controllers to provide this choice to the data subjects. This responsibility is ensured by the contractual obligations between Canfield (Data Processor) and its customers (Data Controllers) in the EEA, Switzerland, and the UK.
Personal data obtained by Canfield from data subjects in the EEA, Switzerland, and the UK will not be disclosed by Canfield without proper consent. If Canfield intends to use such personal data for purposes other than those for which it was intended, Canfield will obtain proper consent directly from the data subjects.
When providing services to its customers, Canfield may need to share an individual’s Personal Information (PI) with its subcontractors (Data Centers, Reviewers participating in Independent Panel Reviews, outside statistical services etc.). Canfield obtains assurances that its subcontractors can guarantee compliance with this policy and provide an adequate level of protection and security (in alignment with the Principles) with regards to personal data obtained from the EEA, Switzerland, and the UK.
If data is transferred to third parties, Canfield remains liable and assures the parties have the same or higher level of data protection.
Canfield Imaging Systems:
Subjects can opt out of receiving marketing materials (right to object) by contacting Canfield distributors or by sending an e-mail to: DPO@CanfieldSci.com
ERASURE AND RESTRICTION OF PROCESSING
Every data subject has a right to erasure (to be forgotten) and the right to restrict processing of their data.
As Canfield acts strictly under the instructions from the Data Controllers, all requests for erasure and rectification must be forwarded to the Data Controllers. Canfield will destroy or rectify subjects’ data when and in a manner that is directed by the Data Controllers.
Additionally, due to Regulatory and contractual requirements for clinical studies, Canfield will store subjects’ data for a period of time no less than twenty-five (25) years.
Canfield will provide Data Controllers with subjects’ data it holds based on agreements between Canfield and Data Controllers. Data Subjects must contact Data Controllers to exercise their right to data portability (if applicable).
Canfield processes personal data received from EEA, Switzerland, and the UK based on the informed consent and in accordance with the contract of services.
In clinical trials, investigative sites are responsible to ensure consent is freely given, specific and unambiguous.
Canfield will use personal data obtained from the EEA, Switzerland, and the UK explicitly for the purposes such information was collected. Canfield will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current. Data collected under the DPF will remain subject to these principles for as long as it is retained.
Canfield is committed to comply with this Policy and will periodically verify and confirm that it is accurate, up to date, and in compliance with the Principles. We encourage our customers who have concerns or questions regarding this Policy to contact Canfield’s DPO at DPO@CanfieldSci.com or at the mailing address below:
Attn: Data Protection Officer
Canfield Scientific, Inc.
4 Wood Hollow Road
Parsippany, NJ 07054
United States of America
Data subjects should submit complaints concerning the processing of their personal data to the applicable Data Controllers in the EEA, Switzerland, and the UK responsible for collecting their information in accordance with the relevant dispute resolution mechanism.
Subjects also have a right to lodge a complaint with the supervisory authority in the EEA, Switzerland, and the UK.
A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
Canfield is also subject to the investigatory and enforcement powers of the US FTC (Federal Trade Commission).
Canfield's Data Protection Officer (DPO) will ensure the enforcement of this Policy.
Any Canfield employee who violates this Policy will be subject to disciplinary action that may result in the termination of their employment with Canfield.
Canfield reserves the right to amend this Policy at any time to ensure its compliance with the Principles or applicable data protection regulations.
This policy is effective as of 03 September 2014 and was last updated 27 September 2023.