EU-U.S. Data Privacy Framework Privacy Policy

EU-U.S. Data Privacy Framework Privacy Policy

Medidata’s Notice of Certification Under the EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, and UK Extension to the EU-U.S. DPF

Scope: Medidata Solutions, Inc. (“Medidata”) complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Medidata Solutions, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Medidata Solutions, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit

Data processed and purposes of data processing: Medidata provides an online platform and applications for our customers to operate aspects of their businesses, including the collection, processing and storage of clinical and operational data for the planning, conduct and optimization of clinical trials. Medidata’s customers decide what data to submit to our platform or applications, which may include information about their authorized users, employees, and clinical trial patients. Medidata processes this data as instructed by our customers, and does not control or own its customer’s personal data. Our customer instructions may include processing or using personal data for purposes of providing or developing the Medidata platform, applications and services, preventing or addressing service or technical problems, responding to support issues, responding to our customer’s instructions, or as may be required by law.

Third-party access to personal data and liability: Medidata only discloses personal data as instructed by our customers. In some cases, we may use third-party providers to assist us in providing or developing our platform or applications to our customers, such as to offer support to our customers and their authorized users and employees and to provide technical or operational support such as data hosting, transmission, and storage. These providers may access, process, or store personal data in the course of providing their services to Medidata. Medidata maintains contracts with these providers restricting their access, use and disclosure of personal data in compliance with our DPF obligations. Medidata may be liable if these third parties fail to meet those obligations and we are responsible for the event giving rise to the damage.

Right to access: As Medidata is a data processor, individuals who seek to access, correct, amend or delete personal data, should contact the Medidata customer (the data controller) who submitted your personal data to our platform or applications. In some instances, you may be able to perform these operations yourself through our applications. If the Medidata customer requests Medidata to remove the personal data to comply with data protection regulations, Medidata will respond to our customer’s request within 30 days.

Inquiries or complaints: In compliance with the EU-US Data Privacy Framework Principles, Medidata Solutions, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.  European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact

You may also refer any inquiries or complaints by mail to Medidata at:

Medidata Solutions, Inc.
Attn: Chief Privacy Counsel
350 Hudson Street, Floor 9
New York, NY 10014
United States

or to our EEA-based subsidiary at:

Medidata Solutions International Limited
Attn: Chief Privacy Counsel
Metro Bldg., 1 Butterwick, 7th Floor
Hammersmith, United Kingdom, W6 8DL

Medidata Solutions, Inc. has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See

Compelled disclosure: Medidata may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Medidata will notify our customer of any such requests unless prohibited by law.

U.S. Federal Trade Commission investigation and enforcement: Medidata’s commitments under the DPF are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.