Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and United Kingdom (UK) Extension to the EU-U.S. DPF Policy
Effective as of November 2024
Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and United Kingdom (UK) Extension to the EU-U.S. DPF Policy
This Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and United Kingdom (UK) Extension to the EU-U.S. DPF Policy (“Policy”) applies to Parexel International Corporation and its U.S. operating subsidiaries, including those listed in Appendix A, (collectively referred to as “Parexel,” “Company,” “we” or “our”) when Personal Information is received from or about individuals in the European Economic Area (EEA)* or United Kingdom (UK) including Gibraltar in any format including electronic, paper, or verbal. Parexel values the confidence of its customers and respects individual privacy, including Personal Information of business partners / customers, investors, patients, clinical research participants, Investigators and Health Care Professionals, and clinical research site staff.
Parexel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Parexel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF and UK Extension to the EU-U.S. DPF Principles (DPF Principles) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US. DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This Policy supplements Parexel’s Privacy Policy (collectively, they comprise Parexel’s “Privacy Policies”).
Any refences in this policy to the DPF, DPF Principles, EU-U.S. DPF, and/or EU-U.S. Data Privacy Framework is meant to be inclusive of both the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
Advisory: Parexel may continue to rely on alternative data transfer mechanisms deemed appropriate by the relevant authorities to transfer data collected from the EEA and UK to the U.S., such as EU Standard Contractual Clauses. Switzerland has not granted an adequacy decision to the DPF, this means Parexel currently relies on alternative data transfer mechanisms, such as Standard Contractual Clauses, for such data transfers. When Parexel is acting as an agent/data processor, Parexel will follow the instructions of the data controller on the mechanism relied upon for data transfers.
Scope
This Policy applies to all Personal Information (see Definitions), whether in electronic or paper format, received by Parexel in the United States from the EEA and UK, including Personal Information of Healthcare Professionals / clinical investigator, clinical researcher site staff, potential and active trial participants / patients, business partners, customers, vendors / suppliers, external learners applying to Parexel Academy training courses, external learners enrolled in Parexel Academy training course, consumers, businesses contacts, investors, and government officials. This Policy outlines our general policy for the implementation of the DPF Principles.
LIMITATIONS ON SCOPE:
HR Data: Parexel’s EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension to the EU-U.S. DPF certification does not apply to the transfer of human resource data.
Adherence to the DPF Principles may be limited to (i) the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of an individual. Also, this Policy may not apply or may be limited when personal information is collected or processed by the following:
- Parexel, under an agreement that contains the requisite standard contractual clauses approved by the European Commission with respect to the personal information;
- Parexel, when necessary for the performance of a contract (e.g., external learner contract for training course) between an individual and Parexel; or
- Any Parexel affiliate, successor, subsidiary, business division or group that makes a separate certification to DPF, whether or not such certification covers only part or all types of personal information in scope of this policy.
Definitions
For the purposes of this Policy, the following definitions shall apply:
- “Agent” means any third-party processing personal information on behalf of and under the instruction of Parexel.
- “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “Individual” means any natural person located in the EEA or UK.
- “Personal Information” and “personal data” means data about an identified or identifiable individual received by Parexel in the US from the EEA or UK and recorded in any form.
- “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use disclosure or dissemination, and erasure or destruction.
- “DPF Principles” collectively mean the seven (7) privacy principles in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension to the EU-U.S. DPF, as well as the supplemental privacy principles and the associated guidance, details of which can be found at https://www.dataprivacyframework.gov/EU-US-Framework.
- “Sensitive Personal Information” means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the Individual. In addition, Parexel will treat as sensitive, any information received from a third-party where that third-party treats and identifies the information as sensitive.
Privacy Principles
The privacy principles in this Policy are in accordance with the DPF Principles set out in the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
Notice
Where Parexel collects Personal Information directly from Individuals in the EEA or UK it will inform them about the purposes for which it collects and uses Personal Information about them, the types of third-parties to which Parexel discloses that information, and the choices and means, if any, Parexel offers Individuals for limiting the use and disclosure of their Personal Information. Notice will be provided in a clear and conspicuous language when individuals are first asked to provide Personal Information to Parexel, or as soon as practicable thereafter, and in any event before Parexel uses the information for a purpose other than for which it was originally collected.
When Parexel, as a service provider, receives Personal Information from its subsidiaries, affiliates or other entities, including when acting as a Contract Research Organization (CRO) processing Personal Information under the direction of a Controller (usually the client, customer, research sponsor, etc.) it will use such information in accordance with the notices provided by the Controller and the choices made by the Individuals to whom such Personal Information relates.
During the conduct of its operations, Parexel may collect, uses, and process personal information relating to:
- Research Studies-Related Information: For Individuals who are participating in research studies managed by Parexel as a CRO or in other situations where Parexel is participating in research studies, including trial participants, patients, their spouses / partners, caregivers, and relatives, clinical research or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates. The collection of Personal Information such as contact information, qualifications, debarment status and account may be used in order to carry out the applicable studies and other study-related services and/or pharmacovigilance. Information collected may be transferred to the sponsor of a study, business partners, Parexel affiliates and third-party service providers performing study related duties and may furthermore be transferred to regulatory authorities.
- Customers and Program Participant Information: Prospective trial participants, prospective learners, prospective investigators and users of Parexel applications and websites who make enquiries regarding Parexel’s services and may be asked to provide Personal Information in order to provide the requested information, products or services. Personal Information provided may be used for the processing of requested transactions, improving the quality of our services, sending communications about our products or services, enabling our business partners and providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures.
- Business Contacts: Customers, vendors, and consultants. Parexel keeps contact information, account numbers and information relating to billing, together with other information which may be necessary for the daily operation of Parexel’s services including conducting customer, product and service surveys, direct marketing or products and services, handling customer complaints and enquiries, making disclosure under the requirements of any law applicable, any other directly related matters.
- Health Care Professionals: Parexel collects information about health care professional directly from the health care professionals, from public sources and from business partners. We use this information in connection with various health care activities, including clinical trials, real world studies of patient treatment, health care outcomes analysis, market research activities, and other situations where primary intelligence from health care professionals is applicable.
- Data Analytics Functions: In certain situations, Parexel obtains and processes information about Individuals for various data analytics purposes. In most situations, this data has been anonymized or de-identified and is no longer personal information when it is obtained by Parexel (or when it is transferred to the United States).
Parexel may use the personal information it collects to comply with our legal obligations, policies and procedures for internal administrative purposes.
Personal Information collected and/or processed may be disclosed to a particular study sponsor, third-party service provider, business partner and/or where required, regulators. Parexel may not need to furnish notice where processing is necessary to respond to a government inquiry, is required or authorized by applicable laws, court orders or government regulations, or is necessary to protect Parexel’s legal interests and providing notice would interfere with the above requirements.
Choice
Parexel will offer Individuals the opportunity, where practical and appropriate, to choose (opt-out) whether their personal information is (i) to be disclosed to third-parties or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Individuals.
Please contact:
Privacy Officer
Parexel International Corporation
2520 Meridian Parkway
Durham, NC 27713, USA
privacy@parexel.com
Parexel will not process Sensitive Personal Information about Individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual explicitly consents to the processing (opt-in), or as required or permitted, or where not prohibited by law or regulation.
Parexel also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as a purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, Parexel will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Policy.
Accountability for Onward Transfer
In most situations, transfers to third parties are covered by the provisions in this Policy regarding notice and choice.
Parexel does not sell or otherwise disclose Personal Information, except as described in our Privacy Policies or in a notice provided to Individuals at the time of collection, or as Individuals explicitly consent. In circumstances in which Parexel obtains Personal Information as a service provider for a Controller, the Controller is responsible for protecting individual rights with respect to onward transfers.
Parexel will endeavor to only transfer Personal Information to a third party acting as an Agent, where Parexel is assured: (i) transfers such data only for limited and specific purposes; (ii) has ascertained that the Agent is obligated to provide at least the same level of privacy protection as is required by the DPF Principles; (iii) takes reasonable and appropriate steps to ensure that the Agent effectively processes the Personal Information transferred in a manner consistent with Parexel’s obligations under the DPF Principles; (iv) requires the Agent to notify Parexel if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles; (v) upon notice, including under (iv), Parexel will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that Agent to the Department of Commerce upon request.
Where Parexel knows that any third party to whom it has provided Personal Information is using or disclosing Personal Information in a manner contrary to this Policy and/or the DPF Principles, Parexel will take reasonable steps to prevent or stop the use or disclosure.
Parexel is potentially liable under the DPF Principles if third party Agents that it engages to process the Personal Information on its behalf does so in a manner inconsistent with DPF Principles, unless Parexel proves that it is not responsible for the event giving rise to the damage.
Security
Parexel takes reasonable technical, administrative, and physical precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation
Parexel uses Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. Parexel takes reasonable steps to ensure that the Personal Information is reliable for its intended use, accurate, complete, and current as long as Parexel retains possession of such information.
When acting as a CRO or in other situations where Parexel acts on behalf of a Controller, Parexel endeavors only to process Personal Information that is relevant to the services it provides, and only for purposes compatible with those for which the Personal Information was collected. Where Parexel processes Personal Information as a CRO or otherwise acts under the direction of a Controller, Parexel works with such Controllers so that the Controller can provide a way for Individuals to correct or update their Personal Information.
Access
Upon request Parexel will grant Individuals reasonable access to the Personal Information it holds about that Individual. In addition, Parexel will take reasonable steps to permit Individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been processed in violations of the DPF Principles, except where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy, or where the rights of persons other than the Individual would be violated. Parexel reserves the right to charge a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals.
Please contact:
Privacy Officer
Parexel International Corporation
2520 Meridian Parkway
Durham, NC 27713, USA
privacy@parexel.com
In circumstances in which Parexel maintains Personal Information as a CRO or service provider for Controllers, the Controller’s are responsible for providing Individuals with access to their Personal Information and the right to correct, amend or delete the data where it is inaccurate. In these circumstances, Individuals should direct their questions to the appropriate Controller. Parexel personnel have limited ability to access personal data, because research site staff and Investigators or our business partners / customers retain the key to the key-coded data. If you believe Parexel has your data and wish to request access, to limit use, or to limit disclosure, please provide the name of the research site staff and Investigators or Parexel business partner / customer who submitted your personal information to our services. Parexel will refer your request to that research site staff and Investigators or business partner / customer and will support them as needed in responding to your request.
Recourse, Enforcement and Liability
Parexel encourages Individuals covered by this Policy to raise questions about the processing of Personal Information about them by contacting Parexel through the information provided below.
Any complaints or concerns regarding the use or disclosure of Personal Information transferred from the EEA or UK to the U.S. should be in the first instance be directed to the Parexel Privacy Officer using the contact information provided below. Parexel will investigate and attempt to resolve complaints in accordance with the DPF Principles within 45 days of receiving a complaint.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Parexel commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EEA and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Parexel commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and UK Extension to the EU-U.S. DPF. Parexel is committed to following the determination and advice of these authorities. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means; for additional information, see https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction. The Federal Trade Commission has jurisdiction over Parexel’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
In circumstances in which Parexel obtained or maintains Personal Information as a CRO or other Service Provider, Individuals may submit complaints concerning the processing of their Personal Information to the relevant Controller, in accordance with the Controller's dispute resolution process. Parexel will participate in this process at the request of the Controller or the Individual. Parexel will take steps to remedy any issues arising out of the potential failure to comply with the DPF Principles.
Changes to this Policy
This Policy may be amended from time to time, without advance notice, to ensure an appropriate level of protection for Personal Information and compliance with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended Policy, as stated.
Contact Information
Privacy Officer
Parexel International Corporation
2520 Meridian Parkway
Durham, NC 27713, USA
privacy@parexel.com
* EEA consists of the 27 EU member countries plus Iceland, Liechtenstein and Norway