This policy applies to Ora and for all purposes discussed herein the data Controller is Ora.
During the processes of screening/recruiting prospective patients for clinical trials, operating and maintaining our website, conducting marketing activities, collecting information from our prospective customers, employees, contractors, and collaborators, Ora may collect the following PI (without limitation):
Sensitive or Special Data
Ora collects and processes PI under the following circumstances:
|Process||Legal Basis||Purpose for Processing|
|Prospective Clinical Trial Patients Recruitment/ Screening||Consent/Permission||In order effectively recruit patients for clinical trials, Ora must (with your consent) collect, retain, and process, contact information and limited Medical/Health information (as described above).|
|Prospective Customers and Collaborators||Legitimate Interest||Ora has a legitimate interest in expanding its professional network and the growth of its business. Collecting contact information and other details from prospective customers and collaborators relevant to its business is necessary for this purpose in order to communicate with them. Having considered purpose and necessity, Ora assesses that the balance favors its processing as it is reasonable for prospective customers and collaborators submitting their PI to expect that their business contact details will be processed, and the impact on them will be low. The information submitted is subsequently collated and added to a business contact database. Ora also ensures that it provides these data subjects the opportunity to exercise their rights.|
|Prospective Employees||Legitimate Interest||Ora has a legitimate interest in soliciting candidates for employment to identify and evaluate talented prospective employees to contribute to the growth of Ora’s business. Collecting PI from candidates is necessary for Ora to effectively and efficiently identify candidates for positions, evaluate their qualifications (i.e. prior experiences), and process submitted employment applications. Having considered purpose and necessity, Ora assesses that the balance favors its processing as it is reasonable for prospective employees submitting their PI to expect that their business contact details will be processed, and the impact on them will be low. The information submitted is processed in an applicant database. Ora also ensures that it provides these data subjects the opportunity to exercise their rights.|
|Investigator and Site Recruiting||Legitimate Interest||Ora has a legitimate interest in collecting PI from clinical investigators and clinical sites in order to identify and evaluate talented prospective investigators and sites to contribute to the growth of OraNet™ and to provide information to its customers in relation to the capacity to carry out clinical trials. Ora must be able to effectively and efficiently vet such potential new members of OraNet™ by evaluating their qualifications (i.e. prior experiences, resumes, etc.). Having considered purpose and necessity, Ora assesses that the balance favors its processing as it is reasonable for prospective clinical investigators and clinical sites submitting their PI to expect that their resumes and business contact details will be processed, and the impact on them will be low. The information submitted is processed in a clinical investigator and site database. Ora also ensures that it provides these data subjects the opportunity to exercise their rights.|
|Survey Administration||Consent/Permission||From time to time, we may request information from you via surveys. Participation in these surveys is completely voluntary, and, therefore, you have the choice of whether or not to disclose such information. Information requested may include contact information (such as name, correspondence address and telephone number), and demographic information (such as zip or postal code or age).|
Access to PI will at all times be restricted to only those individuals who require access to perform a necessary job function in accordance with the original purpose of collection (Principle of Least Privilege). Ora may share your PI with third parties that process information on its behalf. These may include (without limitation):
Any such third parties receiving PI are required to sign confidentiality agreements or provide assurance agreeing to handle all confidential information containing personal data in accordance with applicable law. Additionally, Ora will validate any third party involved in the processing of PI will have the proper technical and organizational measures in place to protect PI.
Except as described above, we will not otherwise use or disclose any of your PI, except to the extent reasonably necessary: (i) to correct technical problems and malfunctions and to technically process your information; (ii) to protect the security and integrity of our Web site; (iii) to protect our rights and property and the rights and property of others; (iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or (vii) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety, as applicable.
When sharing PI with third parties (including any international transfers of data that may occur) Ora will take all necessary steps to ensure the protection of this information by implementing appropriate safeguards relative to the risk and sensitivity of the information being shared. Ora may also transfer information across international borders when necessary. When international transfers do occur Ora implements a GDPR compliant transfer method as follows:
|International Transfer||Compliant Transfer Method|
|Collecting and processing PI from prospective customers, collaborators, Investigators around the world involves transferring information internationally.||Privacy Shield|
|Collecting and processing PI from prospective employees from around the world involves transferring information internationally.||Privacy Shield|
Ora maintains a high level of security, particularly in relation to PI. Computer equipment, networks, programs, data and documentation is maintained to a high standard, and access to data and equipment is at all times restricted to appropriate staff. Ora’s security framework is designed to ensure that holistic and effective security practices are maintained to protect PI that Ora collects and processes.
Ora will retain PI only for as long as is necessary for the purpose(s) for which it was collected and in accordance with any applicable consent given in relation to such PI and any applicable laws.
Data will be securely destroyed upon request by a data subject (when applicable), or the data is no longer needed for the purpose(s) it was collected for.
Individuals have the following rights in relation to their PI*
|Right to Access||The right to view your PI that is being processed and/or request a copy of this data.
There is no charge for Ora providing you with this data and it will typically be provided within three weeks of the request (unless the request is unfounded or excessive).
|Right to Rectification||The right to have PI rectified if it is inaccurate or not up to date.
When applicable, Ora will promptly update any incorrect information.
|Right to Erasure||The right to have PI deleted.
When applicable, Ora will promptly delete the requested data.
|Right to Withdraw Consent||The right to withdraw previously given consent for processing PI.
When applicable, Ora will cease processing PI collected by the basis of consent.
|Right to Data Portability||The right to have PI transferred to him/herself or to another controller.
When doing so the information will be provided in a machine-readable electronic format.
|Right to Object||The right to stop processing of PI, contingent that the objection to processing is based on legitimate interests or the performance of a task in the public interest / exercise of official authority (including profiling).|
|Right in Relation to Automated Decision Making||Right to object to a decision based on automated processing.
When possible a manual review of information will be conducted to reach a decision.
*Not all rights are guaranteed. Legal basis for collection/processing, the requirement of disproportionate effort, legal requirements, and other factors can have an impact on data subject rights.
No automated decision making is used to process PI.
If Ora should ever file for bankruptcy or be acquired by a third party, merge with a third party, sell all or part of our assets, or otherwise transfer substantially all of our relevant assets to a third party, Ora is entitled to share the PI to potential and subsequent business and merger partners.
Ora makes no representations about the content of the information found on this Web site. The information presented on this Web site is provided to you “AS IS,” WITHOUT ANY WARRANTY, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE. Under no circumstances shall Ora assume liability for the use or interpretation by you of information found on this Web site; rather, this will be your responsibility. Ora expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to this Web site and/or the information contained on this Web site, even if Ora is proven negligent.
The following definitions apply to terms used throughout this policy:
Personal Information (PI):
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
All communications, questions or concerns about these privacy policies should be addressed to Ora’s Data Protection Officer at: OraDPO@oraclinical.com
Please note that in instances where Ora is acting as the clinical research organization (CRO) for one or more of its customers (clinical sponsors) in its capacity of managing clinical trials, Ora’s customer is the data Controller and Ora is the data processor.