This policy is effective as of January 5th, 2024
Seascape Clinical was created on the beliefs that:
This Privacy Policy is provided to you, in line with the following Applicable Personal Data Protection Legislation:
• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (GDPR), which became enforceable across the EU and the EEA from 25 May 2018, having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other considerations, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).
• The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
• The California Consumer Privacy Act 2018 (CCPA), assembly Bill of the State of California, United States of America, No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the Governor on 28 June 2018. Filed with the Secretary of State on 28 June 2018 and enforceable since 01 January 2020.
• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
The primary goal of Processing Personal Data is to allow Seascape Clinical’s Clients to use Seascape’s technology platform (ClinOps Pro) to manage and analyze data related to those natural persons who have joined or are conducting Seascape Clinical’s Clients’ clinical trials/Studies (as trial sponsors, clinical site staff, or study subjects) on their own free will and initiative.
Study subjects specifically are identified using an alias (i.e. subject number).
Seascape Clinical (the organization and its staff members) is aware that Personal Data/Health Information may represent a risk towards you if accessed by unauthorized third parties. That is a set of Policies, Operational Processes, and mechanisms (technological and human-based) have been developed, ensuring that the Personal Data entrusted by you to Seascape Clinical will be maintained, handled, and shared in a manner that warrants its security, accuracy, confidentiality, and privacy, hence assuring your Personal Data Protection.
Personal Data is exclusively Processed under the scope and purpose of the Services described on this Privacy Policy (meaning each Study).
Every Data Subject maintains full control over their personal data (and, where applicable, their offspring’s), as well as the Personal Data processing activities undertaken by Seascape Clinical (as defined under applicable personal data Protection Legislation or specifically the GDPR, where its ruling is more protective of the Data Subject’s Rights).
Applicability
Seascape Clinical reserves the right to modify this Privacy Policy at any time by posting updated time-stamp versions on its websites.
The Data Processor
Seascape Clinical is a United States-based company that provides a configured, technology platform (ClinOps Pro) and related services that allow Clients (clinical trial sponsors) to create, import, transact, report on, and and store their clinical study data in a way that allows for more efficient study oversight and conduct. Within ClinOps Pro, data pertaining to clinical trial subjects is at most associated with an alias (subject number) and not personally identifying information such as first names, last names, address, etc. All questions or requests regarding the processing of the personal data under Seascape Clinical’s control or processing may be addressed to dpo@seascapeclinical.com.
The Data Controller
Seascape Clinical collects data from persons for the purposes of providing marketing, sales, and project management services, and creating ClinOps Pro user accounts.
Seascape Clinical’s Data Protection Officer (DPO) contact information:
- Email: dpo@seascapeclinical.com
Seascape Clinical Core Activity – Cloud-based Technology Platform provided as Software-as-a-Service (SaaS)
Seascape Clinical’s service consists of allowing Clients to use its cloud-based technology platform (ClinOps Pro). Under this scope, Seacape Clinical provides the following Service Catalogue (as well as those related to marketing and sales of ClinOps Pro) and applicable “Legal Basis” for processing Personal Data (respectively):
Project Management
To service Clients, Seascape must collect the following information from each member of the Client study team that will be working with the Seascape Client Success Manager:
- First Name
- Last Name
- Corporate Email Address
ClinOps Pro Account Creation
- First Name
- Last Name
- Corporate Email Address
Site Contact Information
Part of allowing Clients to oversee their clinical trials involves allowing them to store clinical site contact information in ClinOps Pro. ClinOps Pro allows Client users to enter, edit, and store the following for each clinical site contact:
- First Name
- Last Name
- Email Address
- Phone Number
- Institution Name
- Physical Address
- Role
Subject Information
In various places, ClinOps Pro allows Clients to enter, edit, and store anonymized data (i.e. subject is only identified via a subject number) related to clinical trial subjects. This includes but is not limited to:
- Subject Country
- Subject Institution
- Subject Lab Data
- Subject Adverse Event Data
Processing (Treatment) over Personal Data Gathering/ Collection
Seascape Clinical gathers Personal Data directly from ClinOps Pro or its marketing website (https://seascapeclinical.com), through user actions on the website. When user uses a Seascape website, a session cookie file may be placed on their browser device. Seascape Clinical only uses cookies that record information about the IT architecture and landscape of the device being used by the visitor (e.g., browser, device, etc.); however, that visitor is never identified personally (as a Data Subject). IP addresses are exclusively cross-referenced with other data for the purpose of safekeeping of both Seascape Clinical, Study results, and the Data Subjects from fraud attempts. For detailed information about cookies in use and similar employed technologies please refer to the Cookie Policy.
Storing
Seascape Clinical is a digital company and most of the data and information it requires to operate is exclusively maintained in digital format on its IT systems hosted at Oracle Cloud data centers in the United States and globally. Data in transit and at rest are encrypted. This guarantees its security and confidentiality. Data Subjects are informed of the data hosting in the United States and globally and they provide explicit consent to the processing of their Personal Data/Health Information. Therefore, they are fully aware and consenting to the transfer and hosting of such data/ information in the United States.
Sharing
Seascape Clinical does not share any type of data, whether anonymized or Personal.
Recordings
In addition to the interaction over ClinOps Pro or by email, designated Seascape Clinical staff may speak with you both over the phone or video call using the software Zoom. However, no recordings will be made.
Data Minimization
Seascape Clinical takes every reasonable step to ensure that Personal Data under its direct processing activities (as the Controller) is limited to the amount and type that is necessary to the successful execution of the Studies.
Personal Data Security, Privacy, and Confidentiality Assurance
Seascape Clinical’s IT landscape is configured and monitored under guidance provided by the strictest security market standards (e.g., ISO 27000 family, SOC2, ITIL, Privacy by Design) and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under applicable Personal Data Protection Legislation towards the Protection of Personal Data/Personal Information/Health Information. This is intended to assure confidentiality and privacy while under Personal Data Processing Activities performed by itself and its partners within the scope of Seascape Clinical’s rendered services.
Personal Data Retention
Seascape Clinical processes Personal Data in accordance with the deadlines stipulated in the effective legislation in the country and by regulatory supervisory authorities. After the expiry of legal/regulatory periods, Seascape Clinical will erase your Personal Data. Personal Data with regard to which there is no explicit
legislative/supervisory obligation to be kept shall be erased after the purpose for which it was collected and processed has been achieved.
Data Subjects Rights
Under applicable Personal Data Protection Legislation, the Data Subject has the following set of established rights:
General Data Protections Regalement (GDPR) Rights:
- Right to correct – We would like your Personal Data to be accurate and up-to-date. If any piece of your Personal Data is inaccurate or out-of-date, please
inform us and we will correct it - Right to deletion – You may ask Seascape Clinical to delete your Personal Data, but the relevant legal grounds should apply in order to fulfill the request. We will not delete any information about you that we are legally required to keep as well as if we have grounds not to delete this information. We will have one month to answer your request. If we refuse to delete the information, we will provide the basis for our decision and the legal grounds for it.
- The right to receive a notice of privacy practices – Please refer to this Privacy Policy plus the information provided to you upon requesting your
consent to become a clinical study subject. - The right to access and request a copy of medical records – Please refer to the Right of Access under the GDPR.
- Right to rectification – The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. ClinOps Pro users may directly amend existing information on the Seascape Clinical website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Seascape Clinical Participants.
- The right to request an amendment to medical records – Please refer to the Right to Rectification (above) under the GDPR.
- Right to erasure – The right to have Personal Data pertaining to them that is under Processing by Seascape Clinical erased and, therefore, Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Seascape Clinical from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
California Consumer Privacy Act (CCPA) Rights
- Right to know and access your personal information – Similar to the Right of Access under the GDPR, California residents have the right to:
- Know the categories of Personal Information we collect and the categories of sources from which we received the information.
- Know the business or commercial purposes for which we collect and share Personal Information.
- Know the categories of third parties and other entities with whom we share Personal Information, and
- Access the specific pieces of Personal Information we have collected about you.
- Right to deletion – Again in a similar manner to the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their Personal Data/Information. We may refuse the exercise of such right if it prevents us from exercising legal defense, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfill any open contractual obligations.
- Right to opt out of sales – We do not sell your data.
- Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.
For any of the above mentioned CCPA-related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfill your request.
Any Data Subject may exercise his/her rights under GDPR by contacting Seascape Clinical’s DPO through the e-mail address dpo@seascapeclinical.com
If you have any questions, complaints or wish to exercise your rights under GDPR, please do make clear on your message. If the Data Subject is a clinical trial subject, Seascape will also inform the related sponsor Client:
- Purpose: Question; Complaint; Exercise of the Data Subject’s rights under GDPR
- What triggered your need to contact us?
- When did the root cause which triggered the need to contact us took place?
- Why the need to provide alternative personal contact?
- Under applicable Personal Data Protection legislation only the Data Subject may exercise their rights, hence organizations must ensure and document that the Data Subject or their legal representatives are the ones interacting with Seascape Clinical while acting over their Personal Data.
Glossary
“Data Protection Officer” (DPO) means the natural person within a company who bears the responsibility of ensuring corporate compliance towards GDPR (as defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with GDPR rules, guidelines and requirements. data subject means the identified or identifiable natural person to whom personal data relates. Both Parties understand that the data subject is the sole owner of personal data which pertains to them.
“Data Subjects’ Rights” means the rights established towards the Data Subjects under Applicable Personal Data Protection legislation. Please check the item below under the title “How to exercise Data Subjects’ rights” “IT Landscape” means the set of IT assets and services of and at the disposal of each party that enables their Personal Data Treatment” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Legal Basis” means the enlisted lawful grounds that a company has to entice Personal Data Treatment” activities under GDPR, namely (but not limited to) having documented: the Data Subject Explicit Consent towards Personal Data Treatment activities; the company Legitimate Interest in proceeding with “Personal Data Treatment” activities; accessory legal obligations that the company must observe and which entitled it to proceed with Personal Data Processing Activities within the limits of such ruling and inherent obligations; other as per defined under GDPR.
“Partner” means any 3rd party entity towards which each party may resort in order to ensure Personal Data Processing Activities under a legal basis (as established by GDPR) and within the scope of agreed Services. Personal Data means any Data that either on its own or where cross-referenced with other Data allows the identification of a specific natural person.
“Personal Health Information” has (under the scope of this Privacy Policy) the same meaning as Personal Data (notwithstanding the fact that it still maintains the definition under HIPAA). “Personal Data Processing Activities” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any event or incident (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Processor” means the entity which proceeds with authorized Personal Data Processing Activities (under a Data Processing Agreemtn [DPA]) on behalf of the Controller.
“Scientific Method” means a set of principles and empirical processes of discovery and demonstration considered characteristic of or necessary for scientific investigation, generally involving the observation of phenomena, the formulation of a hypothesis concerning the phenomena, experimentation to test the hypothesis, and development of a conclusion that confirms, rejects, or modifies the hypothesis.
“Service Catalog” means the set of Services rendered by Seascape Clinical that requires Personal Data Processing Activities.
“Clinical Trial or Study” means an organized endeavor (which observes the scientific method) to discover the impact of COVID-19 vaccines and therapeutics indicated for COVID-19, as herein described in detail and above in this document.
“Clinical Trial Subject” means a natural person who decides to join (by enrolling) in one of Seascape Clinical’s Clients’ Studies.
“Sub-processor” means any Processor engaged by any of the Parties which performs complimentary Personal Data Processing Activities within the scope of the Services.
Contact Us
If you have any questions or complaints about this Policy, please contact us at dpo@seacapeclinical.com or 274 Redwood Shores Parkway, #522, Redwood City, CA 94065.