Effective on: March 22, 2022
Introduction and Scope
Please read this Policy to learn what EVERSANA is doing with your Personal Data, how we protect it, and the privacy rights you may have under the General Data Protection Regulation (“GDPR”), the United Kingdom’s General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) (collectively, “Applicable Laws”).
This Policy does not apply to Personal Data we collect by other means, such as Personal Data of clinical trials participants we process in the course of providing life sciences services (the “Services”) to our customers, or the Personal Data of our employees.
Within the scope of this Policy, EVERSANA acts as a data controller for the Personal Data we process.
Processing of Personal Data
Depending on whether you are a current or prospective customer, a website visitor, or a current or prospective business partner (for example, a supplier), we may process various types of Personal Data, as described in the below Table. The Table below also shows you how and why we collect Personal Data and the categories of third parties with whom we share Personal Data.
Basis of Processing
We may process your Personal Data on the basis of:
- the need to perform a contract with you or to take steps at your request prior to entering into a contract;
- our legitimate interests, such as our interest in marketing and selling our Services;
- the need to comply with the law; or
- any other ground, as required or permitted by law.
Where we receive your Personal Data as part of providing our Services to you based on a contract, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.
What Personal Data We Collect, How We Receive Personal Data, and How We Use Your Personal Data
The Table below describes the categories of Personal Data we have collected about you in the last twelve months and how we obtained that Personal Data.
The CCPA requires us to categorize the Personal Data we collect into groups. Many of the categories are not collected in every situation, and some of the Personal Data is only collected at the direction of our customers through our Sales & Marketing Systems.
|Categories of Personal Data We Collect, Process, or Store||How We Obtain Your Personal Data||How We Use Your Personal Data|
Name, alias, postal address, email address, and similar identifiers.
|We may receive your Personal Data when:|
· you provide it directly to us through our Website;
· you provide it directly to us at an event or conference;
· you provide it to us while participating in a webinar we host or sponsor;
· we collect your information from publicly available platforms such as LinkedIn;
· our customers (including their employees, contractors, and other representatives of the company) provide it to us;
· we receive it from other companies within our corporate group;
· our service providers provide it to us;
· we purchase lists of individuals who might be interested in becoming customers of ours; or
· when a friend of yours or one of our partners or customers refers you to our Services by providing your Personal Data to us.
|We may process your Personal Data for the purposes of:|
· marketing and selling our Services to you;
· enabling the use of our Services;
· responding to your requests or questions; and
· sending you email marketing communications about our business which we think may interest you.
|Customer Records Information:|
Name, telephone number, address, email address and other similar customer records information.
|Professional or Employment-Related Information:|
Employment, employment history, information about your employer (such as the name, address and contact details of your employer) and other similar employment-related information.
Sharing Personal Data with Third Parties
We may share Personal Data with our subsidiaries and affiliates, as well as with our service providers, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing support and infrastructure for our Sales & Marketing Systems, providing our Services, or as required by law.
We do not sell your Personal Data to third parties.
Please review the below Table to see the categories of Personal Data that we have disclosed, in the last twelve months, to third parties for our own operational business purposes and the categories of recipients of that Personal Data.
|Category of Personal Data||Categories of Third Parties to Which We Disclose Personal Data for Business Purposes.|
|Our service providers may provide:|
· application hosting services;
· cloud storage services;
· virus scanning services;
· email software;
· content management system (CMS) software;
· customer resource management (CRM) software;
· marketing automation software;
· webinar software;
· data analytics software; and
· email marketing software.
|Customer Records Information|
|Professional or Employment-Related Information|
International Transfers of Personal Data
Personal Data in the European Union and the United Kingdom is protected by data protection laws, however, other countries may not necessarily protect your Personal Data in the same way, or in such a way that prevents their courts, law enforcement, and national security authorities from accessing it. Data protection laws in these regions regulate how your Personal Data may be transferred to third parties located in other regions.
Some of these third parties may be located outside of the European Union, the European Economic Area, the United Kingdom, or Canada. In some cases, the European Commission and the United Kingdom may not have determined that the countries’ data protection laws provide a level of protection equivalent to European Union law and the law of the United Kingdom. We will only transfer your Personal Data to third parties in these countries when there are appropriate safeguards in place, such as the European Commission approved standard contractual clauses, and any standard contractual clauses approved by the United Kingdom. These may include the European Commission-approved standard contractual data protection clauses.
Other Disclosure of Your Personal Data
We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our Services’ features. For more information, please visit https://www.aboutcookies.org/.
You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Services do not have the capability to respond to “Do Not Track” signals received from web browsers.
Data Integrity & Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.
When the purposes of processing are satisfied and no lawful basis of processing remains, we will delete your Personal Data.
Access, Review, Objection to Processing, and Portability
If we process your Personal Data, you may have the right to request access to, and the opportunity to update, correct, or delete such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability, which is the right to ask to have your Personal Data exported in a machine-readable format.
To submit these requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.
Security of Your Personal Data
We have implemented and will maintain technical, organizational, and physical security measures that are reasonable designed to protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction.
Risk of Harm
Whenever Personal Data is collected and processed, there is always a slight risk that the Personal Data may be breached, misused, or otherwise result in a harm to you. However, we take several measures to ensure that this risk is mitigated as much as possible. These measures include limiting the Personal Data about you that we collect and process to solely what is necessary, not collecting sensitive Personal Data about you unless we clearly explain to you that we are and obtain your explicit consent beforehand, and implementing appropriate security measures, as described in this Policy.
Your Privacy Rights
You have specific rights regarding your Personal Data collected and processed by us. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller or as a “business” under the CCPA. This is when Eversana decides why and how your Personal Data will be processed, rather than our customers making those decisions.
To exercise your rights with respect to information processed by us on behalf of one of our customers, please read the privacy policies of our customers. If you wish to make your request directly to us, please provide to us the name of our customers who submitted your data to us or let us know that you are uncertain about which of our customers submitted your data to us. Because we may only act upon instructions from our customers, we will refer your request to the relevant customer, and will support them as needed in responding to your request within a reasonable timeframe.
We may need to confirm your identity in order to process your request. A request can also be made on behalf of your child or ward (who is under the age of 18 years).
In this section, we first describe your privacy rights and then we explain how you can exercise those rights.
Right to Know What Happens to Your Personal Data
This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.
Right to Know What Personal Data We Have About You
This is called the “right of access”. This right allows you to ask for full details of the Personal Data we hold on you.
You have the right to obtain from us confirmation as to whether or not we process Personal Data concerning you, and, where that is the case, a copy of or access to your Personal Data and certain related information.
Once we confirm your identity (or the identity of your authorized agent) who made the request, we will disclose to you:
- The categories of Personal Data we have collected about you;
- The categories of sources of the Personal Data we have collected about you;
- The business and commercial purposes for which we process your Personal Data;
- Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
- The categories of third parties with whom we share that Personal Data;
- The specific pieces of Personal Data we collected about you (this is also called a data portability request);
- If we rely on legitimate interests as a lawful basis to process your Personal Data, the legitimate interests pursued by us or by a third party; and
- The appropriate safeguards for transferring data from the EU to a third country, if applicable.
The CCPA does not allow us to disclose social security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.
Right to Change Your Personal Data
This is called the “right to rectification”. It gives you the right to ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.
If your account settings do not allow you change it, please contact us and we will do our best to change the Personal Data for you.
Right to Delete Your Personal Data
This is called the right to erasure, right to deletion or the “right to be forgotten”. This right means you can ask for your Personal Data to be deleted.
Sometimes we can delete your information, but other times it is just not possible, like when the law tells us we cannot do that. If that’s the case, we will consider if we can limit how we use it.
There are certain occasions where we cannot fulfill a deletion request under Applicable Laws, and may deny your request, such as if we or our service providers need to retain the Personal Data to:
- Complete the transaction for which we collected the Personal Data;
- Provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- Enable solely internal uses reasonably aligned with your expectations based on your relationship with us;
- Comply with a legal obligation, including, but not limited to, obligations from the California Electronic Communications Privacy Act; or
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Ask Us to Change How We Process Your Personal Data
This is called the “right to restrict processing”. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
Right to Ask Us to Stop Using Your Personal Data
This is called the “right to object”. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). Also, you have the right to object at any time to the processing of your Personal Data for direct marketing purposes.
We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
Right to Port or Move Your Personal Data
This is known as the “right to data portability” and enables you to ask for and download Personal Data about you that you have given us or that you have generated by virtue of the use of our services, so that you can:
- Move it;
- Copy it;
- Keep it for yourself; or
- Transfer it to another organization.
We will provide your Personal Data in a structured, commonly used and machine-readable format. When you request electronically to know what data we have about you, we will provide you a copy in electronic format.
Right Related to Automated Decision Making
We sometimes use computers to study your Personal Data. We might use this Personal Data, so we know how you use our Services. For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling”. But in those cases, we will always explain to you when we might do this, why it is happening, and the effect.
Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.
If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.
Right Not to Be Discriminated Against for Exercising Your Privacy Rights
We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Right to Lodge a Complaint with a Supervisory Authority
If you are a data subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union member states and the United Kingdom.
How Can You Exercise Your Privacy Rights?
To exercise any of the rights described above, please submit a request by either:
- Filling out this online form
- Calling us at +1 (877) 627-2509 (Pin 891704);
- Contacting us by email at [email protected]; or
- Writing to us at:
Attn: Associate Counsel
190 North Milwaukee Street
Milwaukee, WI 53202
What are Authorized Agents?
You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such agent via written permission or a power of attorney pursuant to Probate Code sections 4000 to 4465 (if you reside in the State of California) or the applicable rules for authorizing somebody else to exercise your rights in your country of residence.
To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with a written permission, we will require that you also verify your identity.
How We Will Verify Your Identity
Bear in mind that to evaluate your privacy rights requests, we need to be sure it was you who made the request. We will verify your identity via the following methods:
- we will send you an email requesting that you confirm certain personal data that we have in our records; OR
- we will call you at the number you provided when you submitted a request relating to your privacy rights and will request that you confirm certain personal data that we have in our records.
To carry out the verification, we may ask you for information you provided to us previously, such as your contact number, email address, date of birth, your zip code, or the date that you last received a call/communication from us.
Please note that you may only make a consumer request to know or a data portability request twice within a 12-month period.
How and When We Will Respond to Your Requests
We will confirm the receipt of your request within ten (10) days and, in that communication, we will also describe our identity verification process and when you should expect a response, except when we have already granted or denied the request.
Please allow us up to 30 days to reply to your requests from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will send our written response by mail or electronically, at your option.
Consider that we will only cover the twelve-month period preceding the moment we receive the request in any disclosures we provide you with.
If we cannot satisfy your request, we will also explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.
In most cases, we will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination, and we will provide you with a cost estimate before completing your request.
Privacy of Children
We do not knowingly collect the Personal Data of children under the age of 18 in the context of our Sales & Marketing Systems.
Changes to this Policy
If we make any material change to this Policy, we will post the revised Policy to this web page. We will also update the “Effective” date. By continuing to use our Services after we post any of these changes, you accept the modified Policy.
If you have any questions about this Policy or our processing of your Personal Data, please write to us by email at [email protected] or by postal mail at:
Attn: Associate Counsel
190 North Milwaukee Street
Milwaukee, WI 53202
Please allow up to four weeks for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
|VeraSafe Ireland Ltd|
Unit 3D North Point House
New Mallow Road
|VeraSafe Czech Republic s.r.o.|
|VeraSafe Netherlands BV|
1017 DR Amsterdam