Meditrial Europe LTD, headquartered in Bahnhofstrasse 23 CH-6300 Zug, Switzerland, (henceforth “Meditrial”) is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the Catchtrial website and Catchtrial EDC system (collectively referred to as the “Services”) and governs data collection and usage. By using the Services, you consent to the data practices described in this statement.

Data Controller

Meditrial, as identified at the top of this Privacy Policy, is the data controller regarding all personal data processing carried out through the Services.

Data Protection Officer

If you have any questions, comments or requests regarding this privacy policy or our processing of your information, please contact Meditrial Data Protection Officer (dpo@meditrial.net).

Principles relating to processing of personal data

According to the article 5 of GDPR any personal data which you provide to Meditrial over the Services or which is otherwise gathered via the website by Meditrial will be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

Personal data processed

a. Name, address and contact details
Meditrial collects personally identifiable information (“personal data”), such as your e-mail address, name, home or work address or telephone number. Meditrial also collects anonymous demographic information, which is not unique to you, such as your ZIP code, age, gender, preferences, interests and favorites.
To request a demo, an account, an access to a study or to sign up for the newsletter, you will be required to provide some personal data, by entering your information in the text fields requested. If you decide to fill those fields sharing personal data related to other persons, you will be considered as an independent data controller regarding that personal data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify Meditrial against any complaints, claims or demands for compensation for damages which may arise from the processing of this personal data, brought by the third parties whose information you provide through the Services.

b. Browsing data
There is also information about your computer hardware and software that is automatically collected by Meditrial. This information can include: your IP address, browser type, domain names, access times and referring website addresses. This information is used by Meditrial for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the Services.

c. Special categories of personal data
Sensitive personal data is not requested information on the Services. Please be aware that if you provide personal data filling free text fields, you may inadvertently disclose more sensitive categories of personal data (e.g., but not limited to, data revealing your race or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership).
Meditrial asks that you do not disclose any sensitive personal data on the Services, unless you consider this to be strictly necessary. As it is totally optional to provide this information, if you do, this action will be an explicit consent to process the personal data provided by you.
Meditrial does not use or disclose sensitive personal information, such as race, religion, or political affiliations, without your explicit consent.
Please keep also in mind that if you directly disclose personally identifiable information or personally sensitive data through Meditrial public message boards, you relieve Meditrial of any liability relating to the processing of this data, which may be collected and used by others.

Purpose of processing

Meditrial intends to use your personal data, collected through the Services, for the following purposes:

a. Service provision
Meditrial collects and uses your personal information to operate the Services and provide the deliverables you may request.

b. Marketing
Meditrial also uses your personal data to inform you of other products or services available from Meditrial and its affiliates. Meditrial may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.
The Services provide forms allowing visitors or users to submit search engine queries, questionnaires, feedback, or other information. Some of these forms may request personally identifiable information (e.g., name, address, phone number, e-mail address) for specific purposes, such as when the submitter is requesting a demo, an access to a study, an account or signing up for the newsletter. All information submitted by visitors or users is voluntary.

c. Profiling
Meditrial may create a profile of you as a user of the Services, through the use of profiling cookies and by collecting and analysing information on the preferences you select and choices you make, as well as your general activities on the Services. This profile will be used to give you information about other services which Meditrial believes you may be interested in, and to show you information and advertisements which may be relevant to you and your interests (for more details please see the paragraph “Use of cookies”).
Moreover, Meditrial keeps track of the websites and pages our customers visit within the Services, in order to determine what services are the most popular. This data is used to deliver customized content and advertising to customers whose behavior indicates that they are interested in a particular subject area.

d. Compliance
Meditrial will process your personal data to maintain appropriate business records, to comply with lawful requests by public authorities and to comply with applicable laws and regulations or as otherwise required by law.

e. Preventing misuse/fraud
Your personal data may be handled by Meditrial to prevent and detect any misuse of the Services and any fraudulent activity carried out through them.

Data retention period

The data retention period varies according to the different purposes of processing. In detail personal data processed for:

  • Service Provision will be kept by Meditrial for the period deemed strictly necessary to fulfil such purpose. In any case, as these personal data is processed for the provision of the services, Meditrial may continue to store this personal data for a longer period, as may be necessary to protect Meditrial’s interests related to potential liability related to the provision of the Services;
  • Marketing and Profiling will be kept by Meditrial from the moment you give consent until the moment you withdraw the consent given. Once consent is withdrawn, personal data will no longer be used for these purposes, although it may still be kept by Meditrial, in particular as may be necessary to protect Meditrial’s interests related to potential liability related to this processing;
  • Compliance will be kept by Meditrial for the period required by the specific legal obligation or by the applicable law;
  • Preventing Misuse/Fraud will be kept by Meditrial for as long as deemed strictly necessary to fulfil these purposes.

Sharing of your personal data

The persons or entities with whom your personal data may be shared (“Recipients”) are listed below:

  • Persons authorised by Meditrial to process personal data needed to carry out activities strictly related to the provision of the services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., Meditrial personnel);
  • Entities engaged in order to provide the services (e.g., hosting providers or e-mail platform providers);
  • Persons, companies or professional firms providing Meditrial with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the services;
  • Public entities, bodies or authorities to whom your personal data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities.

Meditrial will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to:

  • protect and defend the rights or property of Meditrial;
  • act under exigent circumstances to protect the personal safety of users of Meditrial, or the public.

Transfer of personal data

The personal data collected by us may be transferred for the above-mentioned processing purposes to any third parties to whom Meditrial subcontracts all or part of this processing. This may for instance include e-marketing service providers, hosting providers and any other relevant roles. Note that your personal data will never be sold to a third party.
In the event of transfer of personal data to a country outside of the European Economic Area, Meditrial systematically ensures the application of an adequate level of protection of such personal data by means approved by applicable data protection legislation. In particular, Meditrial implements appropriate safeguards to ensure the lawfulness and security of these personal data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.
Moreover, in order to provide services to users located outside the European Economic Area, Meditrial may transfer the users’ personal data and all the data loaded into the EDC system to Google’s cloud platforms situated outside the EEA. It is important to underline that, as well as Meditrial, Google has developed a Privacy policy compliant with the GDPR provisions and it has implemented appropriate measures to protect the processed personal data.

Catchtrial users’ rights

With regard to the processing of your personal data, Meditrial acknowledges the following rights to you:

  • the right to request access to and rectification or erasure of personal data or restriction of processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to withdraw their consent to data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a Supervisory Authority in particular in the EU Member State of their habitual residence, place of work or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR.

You can always exercise your rights described above by sending a written request to Meditrial at the following address: dpo@meditrial.net.

Misuse of Catchtrial (disclosure of other’s personal data)

You are required to store only anonymized files in the EDC system.
If you intentionally or inadvertently upload documents or images including personal data belonging to clinical trial patients or to other subjects, you will be considered as an independent Data Controller regarding that personal data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify Meditrial against any complaints, claims or demands for compensation for damages which may arise from the processing of this personal data, brought by the third parties whose information you provide through Catchtrial EDC system.
The same applies in the case you fill in the free fields of the Case Report Forms with other’s personal data.

Security of your personal information

Meditrial secures your personal information from unauthorized access, use or disclosure. Meditrial secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure.
Moreover, technical measures have been developed by Meditrial in order to ensure the anonymization of the data uploaded to the Catchtrial EDC system by users.
For an in-depth analysis of all the data security measures, please read the Catchtrial Security Statement (https://www.catchtrial.com/en/security-statement/).

Use of cookies

The Services use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the web server that you have returned to a specific page. For example, if you personalize the Services pages, or register on them, a cookie helps Meditrial to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same Services, the information you previously provided can be retrieved, so you can easily use the Services features that you customized.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Services.

Consent to personal data processing (Catchtrial EDC Users)

As a Catchtrial EDC User you will be required to click a box in order to provide your consent to personal data processing for the above-mentioned purposes.
This box concerns the consent to personal data processing for the services provision, compliance and prevention of misuse or fraud. Please note that this consent is essential to provide you with the requested service: therefore if you do not tick this box, the service cannot be supplied.

Changes to this statement

Meditrial will occasionally update this Statement of Privacy to reflect company and customer feedback. Meditrial encourages you to periodically review this Statement (www.catchtrial.com/en/privacy-statement/) to be informed of how Meditrial is protecting your information.

Contact information

Meditrial welcomes your comments regarding this Statement of Privacy. If you believe that Meditrial has not adhered to this Statement, please contact Meditrial at dpo@meditrial.net. We will use commercially reasonable efforts to promptly determine and remedy the problem.

Last update: 02-January-2023