Introduction
Lindus Health and its affiliates, subsidiaries and related entities (“Lindus Health”, “we'', “our”) is committed to protecting the privacy and security of the personal data we collect about end customers and users of our services (“you/your”).The purpose of this privacy notice is to explain what personal data we collect about you and how we use it.
Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at: data@lindushealth.com
This notice applies to the following individuals located in the UK, EEA or Switzerland:
- Volunteers for clinical trials (“Trial Volunteers”)
- Doctors and staff at the medical facilities we work with (“Medical Staff”)
- Individuals who use the Contact Us form on our website (“Website Contacts”)
- Employees of our suppliers (“Suppliers”)
- Sponsors of clinical trials (“Sponsors”)
Personal data we process and why
Trial Volunteers
Purpose:
We process personal data from Trial Volunteers (or the parent, guardian, or representative of a Trial Volunteer where the Trial Volunteer is under 18 or otherwise unable to provide the data themselves):
- to pre-screen Trial Volunteers in order to assess whether they qualify to participate in a clinical trial;
- to facilitate the conduct of the clinical trial; and
- to help us improve our products and services.
Purposes for processing
Lindus may process your personal data for one or more of the following purposes:
- To pre-screen volunteers in order to assess whether they qualify for a trial.
- To facilitate the conduct of the trial.
- To email volunteers information about forthcoming trials that we believe may be of interest to them.
- To maintain and expand our patient community database.
- To keep in contact with our network of Health Partners, trial sponsors and suppliers.
- To improve our product and services.
- To respond to email and web contact form enquiries.
Categories of personal Data
We collect the following categories of personal data from Trial Volunteers:
- full name
- email address;
- phone number;
- age;
- gender; and
- special category data, including health data and ethnicity. Where we collect special category data relating to the Trial Volunteer’s identity, state of health and lifestyle, the data we collect will vary depending on the nature and requirements of the specific trial they have signed up to. Therefore, it is not possible to provide an exhaustive list of personal data collected in this Privacy Notice. Trial Volunteers should refer to the patient information form provided for their specific trial for full details on the health data collected. Some common examples of the special category data we might collect from Trial Volunteers are:
- ethnicity;
- underlying health conditions;
- allergies;
- previous medical treatment and procedures;
- medication taken;
- mental health;
- pregnancy;
- diet;
- smoking and alcohol consumption; and
- drug use
Lawful basis
With regards to pre-screening and facilitating the conduct of a clinical trial:
- Although we will always obtain ethical consent from Trial Volunteers to participate in the trial, this will not be our lawful basis under the General Data Protection Regulation 2016/69 and UK Data Protection Act 2018 (together, the “GDPR”). The lawful basis we rely on for both purposes described above shall be Article 6(1)(f), legitimate interest (our legitimateinterest of a Sponsor, to conduct the clinical trial to test the safety and efficacy of the drug/device/diagnostic method which is the subject of the clinical trial).
- Health data is a special category of personal data under the GDPR. The GDPR requires us to have an additional reason to process this type of personal data. Our processing of health data is for scientific research purposes under Article 9(2)(j) of the GDPR.
With regards to improvements to our products and services:
- Where the personal data processed is not health data, our lawful basis under Article 6 of the GDPR is our legitimate interest to improve our products and services.
- Where the personal data processed is health data, our lawful basis underArticle 6 of the GDPR is consent, and the additional reason under Article 9(2)(a) is explicit consent. You can provide your consent when you sign the patient information form.
Medical Staff
Purpose:
We process personal data from Medical Staff to:
- facilitate the conduct of a clinical trial; and
- keep in contact with them
Categories of personal data
We collect the following categories of personal data from Medical Staff, or from publicly available sources such as hospital websites and LinkedIn:
- full name;
- email address; and
- phone number.
Lawful basis
The processing of personal data from Medical Staff is:
- our legitimate interest, or the legitimate interest of a Sponsor, to conduct the clinical trial to test the safety and efficacy of the drug/device/diagnostic method which is the subject of the clinical trial; and
- our legitimate interest to keep in contact with Medical Staff. We will provide you with the option to opt out of communications at the point wecollect your personal data.
Suppliers
Purpose:
We process personal data from Suppliers to:
- receive services from them; and
- keep in contact with them.
Categories of personal data
We collect the following categories of personal data from our Suppliers, or from publicly available sources such as hospital websites and LinkedIn:
Lawful basis
The processing of personal data from Suppliers is:
- necessary for the performance of a contract between us and the Supplier, to receive services from them;
- our legitimate interest to keep in contact with our Suppliers.
Sharing your data
Third parties
We may share your personal data with third parties in the circumstances described below. We will ensure these third parties are only allowed to use your personal data in accordance with our instructions and pursuant to a written contract.
- Hosting cloud infrastructures will store personal data that is collected by Lindus Health. Our cloud infrastructure is AWS.
- Invoicing and payment providers will receive personal data from Medical Staff, Suppliers and Sponsors where necessary to make or receive payments. These include Tipalti and Xero.
- Communication tools used to send newsletters or other emails will receive personal data of Trial Volunteers, Website Contacts, Suppliers, and Sponsors. These include Hubspot, Google, Calendly, and Zoom.
- Customer relationship management systems will receive personal data of Sponsors. These include HubSpot.
- Trial services: In order to volunteer for a trial, the personal data of Trial Volunteers may be shared with a trial site, Sponsor, or other third parties contracted to work on the trial, or conducting services necessary for the delivery of the trial. The service providers include Jotform, SmartSheets, Florence, Virtual Incentives (for payments to Trial Volunteers), and DocuSign.
International data transfers
Some of the third parties we contract with in order to provide our services are based outside the UK, EEA or Switzerland. We will only share (including makingavailable remotely) personal data with third parties outside of the UK, EEA or Switzerland where:
- the transfer is to a country (or an international organisation) that the UK or EU government has determined ensures an adequate level of protection;
- the appropriate EU Standard Contractual Clauses (“SCCs”) or UK International Data Transfer Agreement (“IDTA”), has been put in place between Lindus Health and the entity located outside the UK or EU;
- binding corporate rules have been implemented, where applicable; or
- where the transfer is otherwise permitted by law.
By completing the pre-screen signup process, you accept that Lindus Health may transfer your personal data outside of the UK or EU where necessary.
How long we keep your data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to:
- enable us to meet our contractual obligations;
- enable us to comply with legal and regulatory requirements (for example,we may be required to retain certain clinical trial data from Trial Volunteers under applicable law); and
- to deal with complaints and claims.
At the end of the applicable retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
Your rights and options
You have the following rights in respect of your personal data:
- Right of access: You have the right to request copies of the personal data we collect about you and information about our processing of it. Wewill provide the copies of your personal data free of charge. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
- Right to rectification: If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
- Right to withdraw consent: Where we are using your personal data with your consent, you can withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal. If you have signed up to our newsletter, you can withdraw your consent by using the opt out feature provided in the email. Otherwise, please email us at data@lindushealth.com.
- Right to object to processing: Where we are using your personal information because it is in our legitimate interests to do so, you can object to us using it this way. Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
- Right to restrict processing: You can ask us to restrict the use of your personal data if you believe:
- it is not accurate;
- it has been processed unlawfully by us (but you do not want us to delete it);
- we do not need it any-more (but you want us to keep it for use in legal claims); or
- if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
- Right to erasure: In certain circumstances you can request that we delete your personal data. For example, you can request we delete personal data that we no longer need for the purpose it was collected for, or if you withdraw your consent for our processing of your personal data under the GDPR (where our processing was based on your consent).
- Please note that under Article 17(3)(d) of the GDPR, where we are processing personal data for research related purposes, the right to erasure does not apply as it would be likely to render impossibleor seriously impair the achievement of our research.○This means that where you have chosen to take part in a study, wemay not always be able to delete your data.
- Right to object to automatic decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
- Right to data portability: When we are processing your personal data under the lawful basis of performance of a contract, you can request your personal data in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights.However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.If you wish to exercise your rights, you may contact our Data Protection Officer using the details set out below within the “Contact Us” section. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updatedIf you have any concerns or complaints about our processing of your personal data, you can also lodge a complaint with the Information Commissioner’s Office. They can be contacted using the information provided here: [LINK: https://ico.org.uk/global/contact-us/].
Children's privacy
We do not offer our products and services to children and we do not knowingly collect Personal Data of children without parental consent, unless permitted bylaw. If you are a child (under 18 years old), you must have your parent’s permission to take part in a clinical trial. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.
Contact Us
If you have any questions, or wish to exercise any of your rights, then you can contact us at the following address: Lindus Health, 90 Union Street, London, SE1 0NWAlternatively, you can email us at data@lindushealth.com
Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.
