UAB Baltic Clinical Research (hereinafter “BalticCRO” or we/us) is a company located in Kaunas, Lithuania. BalticCRO operates in Europe since 2014, providing services in Clinical Trials, Pharmacovigilance and Regulatory Affairs.
BalticCRO shall inform individuals of the purpose for which it collects and uses their personal data and the types of third parties to which it may disclose that information. BalticCRO shall provide individuals with the choice and means for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to BalticCRO, or as soon as practicable thereafter, and in any event before BalticCRO uses or discloses the information for a purpose other than for which it was originally collected.
Where BalticCRO receives personal information from other entities in the EU or European Economic Area, including when acting as a CRO processing personal information under the direction of a client, it shall use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.
BalticCRO may not need to furnish notice where the processing in question is necessary to respond to a government inquiry; is required / authorized by applicable laws, court orders or government regulations; or is necessary to protect BalticCRO legal interests.
1. Types of personal data that BalticCRO processes, purposes and legal basis of processing
1.1. BalticCRO endeavors to use personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. We are taking reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by BalticCRO for as long as BalticCRO retains possession of such information.
1.2. Unless required or authorized by law, BalticCRO will not process sensitive personal information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual, unless the individual affirmatively and explicitly consents to the processing (“opt-in”).
1.3. More specifically, we may process data in the course of our following services:
a) Clinical Research
i. As a CRO, we collect health data relating to clinical trial subjects, on behalf and according to the directions of our clients/sponsors. To enhance privacy and consistent with Good Clinical Practice, subjects’ names and other direct identifiers are not attached to any records collected and archived by BalticCRO (e.g. at the CRF documents). Instead, subjects are only identified by a code. Only study doctors and authorized BalticCRO personnel (monitors) may access the complete, named, subject records at the investigational sites. All clinical information processed by BalticCRO is done so under contract with our clients/sponsors. In terms established by the GDPR, BalticCRO considers that the client/sponsor is the “controller”, that is ultimately in control of how and why clinical and medical data are processed, whilst BalticCRO is the “processor”, that acts on the sponsor’s directions. The processing occurs based on the explicit consent of the study subjects, obtained by the designated study doctors or investigational sites and acting upon written contracts between the sponsor, the doctor and the investigational sites.
b) Healthcare professionals’ information
i. BalticCRO collects the professional profiles (CVs) of doctors and other health care providers for the purpose of identifying potential investigators to assist in clinical research on specific indications. BalticCRO may use available contact information, including email addresses, for the purpose of inviting potential investigators to apply to participate in research. We may source health professional information from our own databases and also indirectly from public sources and referrals.
ii. Moreover, BalticCRO may collect health professional’s contact information (such as e-mail address) and basic personal identifications (such as name, medical specialty) and/or some patient’s information that they may choose to disclose to us (name, telephone number, address), within the context of receiving Medical Information regarding a product.
iii. For operational purposes, BalticCRO may also collect information relating to the involvement and performance of investigators and supporting study staff. We shall retain the health professionals’ information based on the execution of existing contact or based on the serving of our legitimate interests (for the continuity of our business records and cooperation with them).
iv. We shall not use these data for any further or different purpose than the ones stated above and we shall process them only according to the relevant legal framework, applying necessary technical safety measures.
i. Pharmacovigilance (PV) is an activity contributing to the protection of patients’ and public health. Each Marketing Authorisation Holder (MAH) has to establish an appropriate pharmacovigilance system for the collection, evaluation and notification of safety information relevant to the risk-benefit balance of medicinal products of its responsibility. BalticCRO, as a CRO, may undertake the conduct of PV services during Clinical Trials phases, as well as in Post-Marketing periods of a medicinal product according to the assignment of some or all of the functions of the Pharmacovigilance System by the MAH and on behalf of that MAH.
ii. According to the applicable EU legislation the MAHs should collect as much information as possible on the suspected drug-related adverse events. Thus, the PV data that BalticCRO may collect and process on the MAHs behalf may include information that identifies the patient and the reporter, such as initials, age / age group / date of birth, weight, height, ethnic origin. Also information about health (predisposing conditions, disabilities, disorders etc.), information about the adverse reaction / incident (e.g. symptoms, duration, outcome, suspected drug / device, concomitant medication, medical history, relevant medical test / procedures), other relevant medical history. The personal identification and contact details may also be collected if there is a follow-up to the adverse events required.
iii. We may use your information to investigate the adverse reaction / incident, fulfil the obligations to report the information of the adverse reaction / incident to the appropriate Competent Authorities, contact you for further information about the adverse reaction / incident you reported. We will not process your Personal Data for any other purpose than described above.
d) Employee and Human Resource data
i. BalticCRO collects personal information from applicants to open positions within BalticCRO, including private contact details, professional qualifications and previous employment history, necessary to reach to employment decisions. Once employed, BalticCRO collects information on staff for human resource, performance, payroll and tax purposes. Various BalticCRO internal systems will collect and record employee information consistent with standard business operations. BalticCRO may process similar information relating to consultants contracted on a freelance basis.
ii. BalticCRO may also collect and transfer the CVs of its employees or partners to competent authorities and/or its contractual partners, in cases this is mandated by standard legal procedures and/or according to an existing contract between BalticCRO and the said partner, or during the pre-contractual stage thereof (e.g. CV of Qualified Person Responsible for Pharmacovigilance).
iii. BalticCRO may keep Employee Training Records, containing their personal information, experience, position and training details, in the context of the execution of their contract with BalticCRO, which Record employees should ensure that it is being regularly updated.
e) Website visitors
i. BalticCRO collects named information about visitors to BalticCRO website, www.balticCRO.com, where this is voluntarily provided to meet a request from those individuals, by filing our on-line contact form. For example, we may collect information where a client addresses to us a request on a BalticCRO service, someone wants to apply for a vacant position with BalticCRO, or when someone wants to participate in training events that BalticCRO may organize. Through the use of cookie-based technologies, BalticCRO may collect various data linked to virtual identities allocated to visitors when they access our websites. This data is used for various purposes, including site analytics and first party marketing. In certain cases, these virtual identities are linked to the real world identities of visitors only when they choose to provide their named information as described.
f) Training registration data
i. BalticCRO collects personal information from customers registering to training courses organized by BalticCRO. This information is used for the purpose of confirming training participant registration and contacting them in regard to the organized training. We collect Personal Data (first name, last name, phone number, e-mail address, company name, job title) provided directly from customers when providing us with the completed registration forms either through our website or e-mail.
ii. We shall not use these data for any further or different purpose than the ones stated above and we shall process them only according to the relevant legal framework, applying necessary technical safety measures.
2. Transfer of Data
2.1. We do not and will not sell, rent out or trade your personal information. We will only disclose (transfer, share, send, or otherwise make available or accessible) your personal information to third parties in the ways set out in this Policy.
2.2. BalticCRO may disclose individuals’ personal information to a third party or use it for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual, only if the individual consents to such further processing.
2.3. BalticCRO may share individuals’ personal information with its agents, contractors, clients or partners in connection to services that they perform for, or with, BalticCRO. We shall ensure that any third party to which personal information may be disclosed subscribes to the principles set hereby and is subject to applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.
2.4. In some cases, BalticCRO may disclose personal information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent vital individual’s interests (e.g. from physical harm) or in connection with an investigation of suspected or actual illegal activity.
2.5. As part of pharmacovigilance obligations, we may share your information with national and/or regional authorities in accordance with pharmacovigilance laws inside and outside EU/EEA. We might share your Personal Data (except your name and contact details) with Marketing Authorization Holders of (suspected) drug / device.
2.6. BalticCRO may also transfer personal information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, BalticCRO will direct the transferee to use personal information in a manner that is consistent with this Policy.
3. Data Integrity
3.1. BalticCRO shall only process personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes BalticCRO shall take reasonable steps to ensure that personal information is accurate, complete, current and reliable for its intended use.
4. Individuals’ rights
4.1. Upon request, and as required by law, BalticCRO will provide to the individuals access to their personal information and allow them to correct, amend or delete inaccurate information, except where the rights of other persons would be violated, legal provisions prohibit it and in any case in accordance to the relevant provisions of GDPR. Individuals, moreover, have the right to address to the State Data Protection Inspectorate of Lithuania, if they believe that any of their rights thereof are being violated.
4.2. BalticCRO reserves the right to charge in some cases a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals. BalticCRO, when acting as a CRO at the conduct of clinical trials, has no direct relationship with clinical research subjects participating in them and any such Individuals who seek access, or who seek to correct, amend, or delete their Personal Information should direct his or her query to the relevant study sponsor or investigator, which has only transferred such Personal Information to BalticCRO for processing according to their agreement.
5. Data storage and retention
5.1. We will not retain data longer than necessary to fulfil the purposes for which it was collected, according to our contractual arrangements, or as required by applicable laws and regulations.
5.2. The information you provide to us may be archived or stored periodically by us, according to backup processes and will only be retained for as long as is it required for the purposes for which it was collected, unless the law requires us to hold your personal information for a longer period, or delete it sooner, or unless you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
5.3. Namely, regarding pharmacovigilance, according to the provisions of “Commission Implementing Regulation (EU) No 520/2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council” and articles 12 and 16 thereof: “Marketing authorization holders shall arrange for the elements referred to in Article 2 (the pharmacovigilance system master file) to be kept for at least five years after the system as described in the pharmacovigilance system master file has been formally terminated by the marketing authorization holder. Pharmacovigilance data and documents relating to individual authorized medicinal products shall be retained as long as the product is authorized and for at least 10 years after the marketing authorization has ceased to exist. However, the documents shall be retained for a longer period where Union law or national law so requires.”.
5.4. Moreover, regarding clinical trials, the Regulation (EU) no 536/2014 of the European Parliament and of the Council on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, provides that: (…) the sponsor and the investigator shall archive the content of the Τrial Μaster File (TMF) for at least 25 years after the end of the clinical trial. (…) The medical files of subjects shall be archived for at least 25 years since the last visit of the last subject that participated in the clinical trial, regardless if the trial has been conducted in a public or private hospital”. However, BalticCRO may only retain the TMFs as long as its contractual obligation towards its contractual party for every specific project is in effect.
5.5. We always aim to process your Personal Data within EU/EEA. Your personal data might be transferred or processed in a country outside EU/EEA, if you have requested to provide you information about services in countries outside of the EU/EEA.
5.6. Your Personal Data will be stored under secure conditions in locked fireproof cabinets with limited access (for paper files), in secure limited access internal servers and/or at secure limited access European cloud service providers servers (for electronic files), and email box with limited access.
8. Contact Information