French version

Purpose of this policy

The confidentiality and protection of personal data are integrated into CERC internal process. We ensure that the data privacy of our users and collaborators is duly protected and that only necessary data are collected Please read this Data privacy and security Policy before using CERC Website or providing us with personal information.

CERC commitment

CERC is committed to improving measures to protect the personal data of all the individuals involved in its activities. Data subjects can be:
 Clinical investigation participants (team of investigator site, patients, …)
 Subcontractors
 Sponsors
 Users of our website
 Representatives of the scientific community

Définitions

Data Subject: natural person whose personal data will be collected and processed.
Controller: it is a natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
Processor: it is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Amendment of the policy

This policy can be updated to maintain the compliance with the regulation and with CERC practices.
This policy describes the personal data collected and processed, the reason of the data collection, data use, data transfer, data protection, data storage, the description of your rights and our contact.

Personal data collected and processed

As part of our activities, we collect data concerning identification (names, postal address, mail address, …), professional information (mail address, CV, phone number, professional postal addresse, contact information, …) and data concerning health.
CERC collects these data
 when you provide us with them
 or with your consent

How do we use your data?

 To manage clinical investigation and contract execution
 For participation in the international clinical research
 To comply with the applicable regulation
 To give you access to our platforms and our tools to collaborate with us and develop our common projects
 To recruit new talents and skills to strengthen our teams
 So that we can communicate, respond to your requests and inquiries, provide support for our services, provide you with important information such as administrative information, send you news and information about our services
 To Respond to requests from administrative or judicial authorities in accordance with applicable law; respond to a judicial requisition, injunction, or any other decision of a judicial administrative authority CERC does not use your data for promotional purposes. The information will only be shared internally or with the appropriate authorities at their request.

Legal Basis

This data processing is necessary to conduct the clinical investigations included in the contract between CERC and a Sponsor. The collection of the data is necessary to establish the contract and for the application of the subcontracted services.

Purposes Legal basis Categories of data
Recruitment (CERC as
controller)
Consent of the data
subject
Contact informations
(email, phone), name, CV,
cover letter
Clinical investigation
management (CERC as
Processor)
Contractual
implementation and
legitimate interest of
the Sponsor
Professional contact
details, CV, trainings,
bank / economic details,
health data,
Contract management
(depending of the contract)
Contractual
implementation
Profesionnal informations
Contact form (chronicle,
investigators, other…)
(CERC as controller)
Consent of the data
subject
Contact informations
(email, phone), name
Management of
subcontractors (CERC as
controller)
Contractual
implementation
Professional contact
details, CV, trainings,
bank / economic details,
Management of Sponsor
(satisfaction survey, …)
CERC Legitimate
interest
Profesionnal information,
name, company,

CERC can use your data:
 To pursue our legitimate interest, provided that this interest does not conflict
with the interest or rights of a person.

Data transfer

For the application of a contract, some activities can be subcontracted by CERC.
CERC ensures that the selected subcontractors comply with the European data
protection regulation or implement appropriate measures to ensure the protection of
personal data of all data subjects.
CERC discloses only necessary information to perform subcontracted services and
does not authorize any subcontractor to retain, disclose or use the information for
any purpose other than that defined in the contract.

To conduct a clinical investigation, it may be necessary to transfer data to countries
outside of the European Union that do not provide the same level of protection as the
European Union. In such cases, CERC ensures that adequate safeguards are in
place to protect the data. These safeguards may be those recommended by the
European Commission, such as standard contractual clauses.
CERC does not sell your data to third parties.

Implementation of measures for data protection

CERC improves processing and, organizational and technical security measures to
ensure integrity and confidentiality of your personal data. These measures protect
data from unauthorized access, use and disclosure.

Data storage

CERC only stores your data during the clinical investigation conduct to fulfill the purpose described in this policy. The duration of data conservation is specified in the contract between CERC and the Sponsor. Information will be deleted within a reasonable time after the purpose is completed and in accordance with applicable rules and laws regarding the retention of certain documents – including, for example, to satisfy tax or security requirements. For clinical investigation in France, clinical study documents must be kept for at least 15 years.

Data subject rights

You can exercise your rights at any time. Your rights depend on the processing and are the following:
 Access: you can request access to or a copy of your personal data.
 Rectification: you can request the correction of your personal data if they are inaccurate, incomplete, or obsolete.
 Erasure: You may ask us to erase any personal data (without affecting the
lawfulness of the processing), where the processing and collection of your
personal data is based on your consent.
 Restriction of processing: in the situation describes in the GDPR regulation
 Data portability: you can request the transfer of your personal data to third parties. This right being applicable only when the processing is based on your consent.

 Object: you can object to the use of your personal data when the processing is based on CERC legitimate interest. In this case, you will have to justify your request and explain your specific situation.
If you wish to exercice any of these rights, please contact us by:
 Email: dpo@cerc-europe.org
 Address: CERC DPO – 7, rue du théâtre 91 300 Massy.

CERC will reply as quickly as possible.

You may also submit a complaint to the competent data protection authority regarding the processing of your personal data. In France, the competent authority is the “Commission Nationale de l’Informatique et des Libertés” CNIL.
However, we encourage you to contact us first if you want to exercise your rights.

If you have any questions or comments about this privacy policy, or if you would like to make any recommendations to improve the quality of our privacy statement, please email us at: dpo@cerc-europe.org.