The ECJ invalidated Privacy Shield on July 16, 2020. Click here to learn more. Per ITA guidance, Medidata will continue to comply with its Privacy Shield obligations.
Medidata’s Notice of Certification Under the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework
Scope: Medidata Solutions, Inc. (including our US subsidiary Intelemage, LLC; together, “Medidata”) commit to adhere to the principles of the EU-US Privacy Shield framework and the Swiss-US Privacy Shield framework with respect to personal data from the European Economic Area (EEA) and Switzerland, respectively, submitted by our business customers in reliance on the Privacy Shield where Medidata acts as a data processor. Medidata also commits to adhere to the principles of the US-EU and Swiss-US Privacy Shield frameworks with respect to human resources data and to personal data from the EEA and Switzerland submitted to its websites.
Medidata also receives some personal data from our business customers in reliance on other data transfer compliance mechanisms, including data processing agreements based on the European Union Standard Contractual Clauses.
Information about Medidata’s Privacy Shield certification and the EU-US and Swiss-US Privacy Shield frameworks can be found here: https://www.privacyshield.gov.
Data processed and purposes of data processing: Medidata provides an online platform and applications for our customers to operate aspects of their businesses, including the collection, processing and storage of clinical and operational data for the planning, conduct and optimization of clinical trials. Medidata’s customers decide what data to submit to our platform or applications, which may include information about their authorized users, employees, and clinical trial patients. Medidata processes this data as instructed by our customers, and does not control or own its customer’s personal data. Our customer instructions may include processing or using personal data for purposes of providing or developing the Medidata platform, applications and services, preventing or addressing service or technical problems, responding to support issues, responding to our Customer’s instructions, or as may be required by law.
Third-party access to personal data and liability: Medidata only discloses personal data as instructed by our customers. In some cases, we may use third-party providers to assist us in providing or developing our platform or applications to our customers, such as to offer support to our customers and their authorized users and employees and to provide technical or operational support such as data hosting, transmission, and storage. These providers may access, process, or store personal data in the course of providing their services to Medidata. Medidata maintains contracts with these providers restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations. Medidata may be liable if these third parties fail to meet those obligations and we are responsible for the event giving rise to the damage.
Right to access: As Medidata is a data processor, individuals who seek to access, correct, amend or delete personal data, should contact the Medidata customer (the data controller) who submitted your personal data to our platform or applications. In some instances, you may be able to perform these operations yourself through our applications. If the Medidata customer requests Medidata to remove the personal data to comply with data protection regulations, Medidata will respond to our customer’s request within 30 days.
Inquiries or complaints: If you are located in the EEA or Switzerland and believe Medidata maintains your personal data in our platform or one of our applications within the scope of our Privacy Shield certifications, you may direct any inquiries or complaints regarding our privacy practices to firstname.lastname@example.org. Medidata will respond within 45 days. If we fail to respond within that time, or if our response does not address your concern, you may contact BBB EU PRIVACY SHIELD (“BBB”), a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. Please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information or to file a complaint. BBB has committed to respond to complaints and to provide appropriate recourse at no cost to you. If neither Medidata nor BBB resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. Please visit the Privacy Shield website at www.privacyshield.gov for further information on the arbitration process.
In the EU, the EU Data Protection Authorities (DPAs) will be used for dispute resolution for unresolved Privacy Shield complaints involving human resources data. In Switzerland, the Swiss Federal Data Protection and Information Commissioner will be used for dispute resolution for unresolved Privacy Shield complaints involving human resources data.
You may also refer any inquiries or complaints by mail to Medidata at:
Medidata Solutions, Inc.
Attn: Chief Privacy Counsel
350 Hudson Street, Floor 9
New York, NY 10014
or to our EEA-based subsidiary at:
Medidata Solutions International Limited
Attn: Chief Privacy Counsel
Metro Bldg., 1 Butterwick, 7th Floor
Hammersmith, United Kingdom, W6 8DL
Compelled disclosure: Medidata may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Medidata will notify our customer of any such requests unless prohibited by law.
U.S. Federal Trade Commission investigation and enforcement: Medidata’s commitments under the Privacy Shield framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.