Velocity Privacy Policy
Document Title | Velocity Privacy Policy |
Document # | POL GEN-007 |
Revision # | 00 |
Effective Date | 15 Apr 2024 |
1. Introduction
Velocity Clinical Research Inc. ("we" or "our", “Velocity”) collects, stores, and processes Personal Data about individuals such as employees, suppliers, patients, and other third parties (“Data Subjects”) for a variety of purposes.
This policy outlines how we seek to protect such Personal Data. It helps ensure that we understand the principles governing the use of Personal Data. It also describes how we collect, handle and store Personal Data to meet our own data protection standards, and to comply with the EU General Data Protection Regulation 2016/679 (the "GDPR") and other related regulations and delegated national legislation (together "Data Protection Law").
Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
a. Scope
This policy applies to all Employees who handle the Personal Data of individuals for business purposes both inside and outside of Velocity.
b. Objective
Our objective is to protect the data subjects by obtaining, collecting, handling, and processing their Personal Data in accordance with applicable data protection law.
c. Consequences of breaching this policy
We take compliance with this policy and our obligations under Data Protection Law very seriously. A failure to do so may put our employees, others and Velocity as a whole at risk of non-compliance. Any breach of this policy may result in disciplinary action being taken, up to and including dismissal.
d. Related policies and procedures
This policy supplements our other related policies and procedures (which may be implemented or amended from time to time). They can be found stored within MasterControl, Velocity’s Quality Management System (QMS) document repository.
e. What is data protection and why is it important
All individuals have rights pertaining to the way in which their Personal Data are processed. The term "Data Protection" in this policy refers to the processing of Personal Data in such a manner as to provide and protect the corresponding rights to privacy which Data Subjects have and their legal protection surrounding Personal Data (according to applicable data protection law).
f. What are Personal Data
Personal Data means any data (or a combination of data) from which a living individual can be identified directly or indirectly. Personal Data can be factual, or it can be an opinion about an individual, their actions, and behavior.
Within Personal Data there is a sub-category: Special Categories of Personal Data. These are information related to a person's race or ethnicity, political opinions, religious, spiritual or philosophical beliefs, trade union membership, physical or mental health, sexual life, biometric data for the purpose of uniquely identifying a natural person, genetic data and data concerning a natural person's sex life or sexual orientation (according to data protection law, e.g. Art. 9 GDPR). There are even stricter conditions for processing Special Categories of Personal Data.
2. Data protection principles
There are several principles under data protection law which must be satisfied while processing Personal Data. In the following section you will find a description of how we aim to achieve compliance with these principles:
- Accountability: We are responsible for ensuring and must be able to demonstrate that the key principles and rules of Data Protection Law are met.
- Lawfulness, Fairness and Transparency: Personal Data may only be processed lawfully, fairly and in a transparent manner. This means we must inform Data Subjects on how and why we process their data (transparency) that the processing must match the description given to the Data Subjects (fairness) and that the processing uses one of the legal bases set forth in data protection law (lawfulness).
- Purpose Limitation: We must specify exactly what the Personal Data we collect will be used for (prior to collecting them) and limit the processing of that Personal Data to only what is necessary to meet the specified purpose.
- Data Minimization: The Personal Data we collect shall be adequate, relevant and limited only to what is necessary for the purposes for which they are processed.
- Accuracy: We have processes in place to ensure that Personal Data is accurate and kept up to date.
- Storage Limitation: Personal Data shall be kept in such a way which enables us to identify the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
- Security/Integrity and Confidentiality: We use appropriate technical and organizational measures to protect the integrity and confidentiality of Personal Data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.
a. Accountability
Monitoring
There are significant implications for Personal Data Breaches or non-compliance with our legal responsibilities under data protection law. It is our responsibility to process all Personal Data in accordance with our legal obligations and the principles of Data Protection.
If we do not meet the accountability requirements of data protection law, there is not only a risk of non-compliance, but also a significant risk to our reputation.
We assess compliance with this policy in two regards:
- Compliance in relation to the protection of Personal Data in general
- The effectiveness of Data Protection measures related to our operational practices
We do reviews on a regular basis and follow the rules of the PDAC Cycle (Plan-Do-Act-Check) for the control and continuous improvement of our processes. This is to establish that an adequate level of compliance is being achieved.
Personal data breach reporting
It is our responsibility to report a personal data breach to the appropriate supervisory authority within 72 hours, if required by law (this is counted from the time we became aware of the incident).
When it is suspected that a Personal Data Breach has taken place for which we are responsible (as Controllers) it must be investigated internally by the Data Protection Officer (DPO) and the incident response team. If the incident results in a risk for Data Subjects, it must be reported to the applicable supervisory authority within 72 hours of becoming aware of the incident.
Training
All Employees must complete Data Protection training relevant to their position.
The Human Resources team is responsible for ensuring that new employees are trained as part of onboarding, and all employees are retrained annually on Data Protection or whenever there is a substantial change in the law or our policy and procedure, whichever is more frequent. Velocity Quality is responsible for maintaining training records and storing the most up-to-date training materials and documents.
Responsibility
Each Employee who handles Personal Data has a responsibility to handle and process the Personal Data in line with this policy and applicable data protection law.
There are positions in Velocity with specific areas of responsibility:
- Company Leadership is ultimately responsible for ensuring that we meet our legal obligations.
- The Velocity Privacy Officer has overall responsibility for ensuring compliance with Data Protection Law.
- The Privacy Team has overall responsibility for the day-to-day implementation of this policy and for:
- Reviewing all Data Protection procedures and policies on a regular basis
- Arranging Data Protection training and advice for all staff members and those included in this policy
- Responding to Data Subjects who wish to know which Personal Data are being held on them by us
- Checking and approving with third parties that handle our Personal Data and contracts or agreements regarding Processing
- Maintaining a Record of Processing Activities incl. regular reviews and approvals
- The Head of Information Technology is responsible for:
- Ensuring that all systems, services and equipment used for storing data meet acceptable security standards
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services Velocity is considering using to retain or process Personal Data
Overview over processing activities
Data protection law stipulates broad requirements regarding the documentation and proof of compliance with Data Protection obligations. A key element in this regard is the overview over processing activities as set forth in data protection law. We demonstrate data protection compliance through documentation in the Foxondo application[1].
“Privacy by design”
We seek to structure internal processes to have Data Protection principles embedded into every stage of processing activities. “Privacy by design” means that, both before and during any processing activity we carry out, we must implement appropriate technical and organizational measures to integrate safeguards into the processing. This is important to protect Data Subjects and meet the requirements of data protection law.
We always aim to implement appropriate technical and organizational measures both at the time of determination of the means for processing and at the time of the processing itself to ensure the principle of Data Minimization is met.
To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, a pre–Data Protection Impact Assessment (DPIA) check must be completed before starting a project (a preliminary, shorter Data Protection Impact Assessment). Depending on the outcome, a full DPIA might be legally required.
b. Lawfulness, fairness and transparency
We are responsible for understanding the context in which the Personal Data processing occurs as part of our day-to-day operations. We want to ensure that this is done fairly and in line with the law, and that we can clearly describe this to Data Subjects. We will always process Personal Data lawfully, fairly, and transparently in accordance with the Data Subject's rights.
Our third-party suppliers/contractors that process Personal Data on our behalf also have obligations of data protection. As such, we are legally required to:
- only engage the services of third-party suppliers/contractors who can demonstrate compliance with data privacy law, e.g. GDPR;
- put in place prescribed contractual arrangements with third party suppliers/contractors which meet the requirements of data privacy law, e.g. GDPR; and
- demonstrate to the data protection authorities that we have complied with these legal obligations.
Personal data collection and notification
We may only collect Personal Data where it is necessary for lawful purposes or explicitly allowed. We will only collect Personal Data from Data Subjects if one of the following statements applies:
- We are required to do so by an obligation imposed on us by law, e.g. EU or applicable local law.
- The processing is necessary to do so for business purposes and for our organization to enter into or perform its contractual obligations with Data Subjects.
- The processing is in our (reasonable) legitimate interests and the data subjects do not have more important conflicting interests.
- The individuals consented. This consent needs to be freely given and to be gathered according to applicable data protection law, e.g. Art. 7 GDPR.
- The data processing is in the vital interest of the data subject or another person.
When we collect personal data, we provide Data Subjects with information regarding the processing of their personal data free of charge in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes information on third parties to which their personal data is disclosed to and the purpose for which this happens.
As far as Personal Data will be transferred from GDPR territory to the USA within the Velocity Group, this will include information that
- Velocity is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC);
- Velocity is obliged to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles;
- Velocity is required to disclose personal information in response to lawful by public authorities, including to meet international security or law enforcement requirements;
- Velocity is liable in cases of onward transfers to third parties;
c. Purpose limitation: Processing for limited purposes
Personal Data collected for one purpose may not usually be used for a different purpose. We aim to only process Personal Data for purposes specifically permitted under data protection law. We inform the Data Subjects of those purposes.
d. Data minimization: Adequate, relevant, and non-excessive processing
Every processing should only use as much Personal Data as is required to successfully accomplish a particular purpose. We will always seek to collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject, and do not collect Personal Data which we do not need.
e. Accuracy: Ensuring that personal data is accurate
We aim to ensure that our systems and processes for identifying inaccurate information are robust and to act quickly to update or erase any inaccurate Personal Data. We endeavor to ensure that the Personal Data we hold is accurate and kept up to date. The Data Subjects may ask that we correct inaccurate Personal Data relating to them.
f. Storage limitation: Timely processing and data retention
We aim to not keep the Personal Data of Data Subjects for any longer than is necessary in accordance with applicable law. We take all required steps to destroy or erase all Personal Data from our systems (electronic/paper-based) which is no longer required.
All employees must ensure that they are familiar with the deletion concept/retention policy.
g. Security/integrity and confidentiality: Security of personal data
We should always make sure that all Personal Data held by us are subject to a level of security that is appropriate for the potential risk. We take appropriate security measures against unlawful and unauthorized processing of Personal Data, and against the accidental loss of, or damage to, Personal Data in line with our Information Security policy. Security procedures include (but are not limited to):
- Entry controls – Visitors cannot access facilities without assistance from employees and are not permitted in locations where personal data are stored unless escorted.
- Secure lockable desks and cupboards – desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Access controls – Data stored on a computer is protected by strong passwords and identification technologies.
- Retention location controls – Data is never saved directly to mobile devices such as laptops, tablets, or smartphones (but to centralized servers).
- Methods of disposal – paper documents are disposed of in locked boxes and shredded by a licensed and bonded shredding service. Digital storage devices are wiped using a full data overwrite or physically destroyed when they are no longer required.
- Equipment – data users ensure that individual monitors do not show confidential information to passers-by and that they log off from or lock their PC when it is left unattended.
3. Rights of the data subject
We must deal with any requests from Data Subjects exercising their rights without undue delay, and within one month of receipt. It may only take longer if exceptional circumstances are in place.
Data subjects have the following rights:
- Right to information
- Right to rectification (data correction)
- Right to deletion
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to a purely automated decision with negative effects
Data Subjects also have the right to lodge a complaint with the Data Protection supervisory authority about how we process their Personal Data.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
4. Data transfers
We sometimes transfer Personal Data to other entities. These entities can be subsidiary companies within our group but also other companies who process data on behalf of our company or provide the IT systems and services our users employ to process data.
Velocity will always ensure that these transfers are based on a legal basis. Where necessary for data transfers from the EU, Velocity will have in place Standard Contractual Clauses.
If we engage companies to process data on our behalf, we will cooperate only with processors who fulfil our requirements of providing appropriate technical and organizational measures which meet our standards and the requirements of data protection law. Before personal data is processed, data processing agreements will be in signed to bind the processor accordingly.
5. Velocity Privacy Officer and Data Protection Officer
The Velocity Privacy Officer helps facilitate our compliance with data protection law and acts as a point of contact for day-to-day issues and questions on data protection for both employees and the Data Protection Officer. The Velocity Privacy Officer has overall responsibility for managing the roll out of the various data protection law project work streams and the day-to-day implementation of this policy. These are her contact details:
Velocity Privacy Officer: Brandi Lang - privacy@velocityclinical.com.
The Data Protection Coordinator is the main contact point for our Data Protection Officer, whose contact details are the following:
Data Protection Officer: Alef Völkner and her team - tel. +49 22 66 - 90 15 920, DSB@fox-on.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at the above mentioned contact details.
The data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The data protection officer reports directly to the highest management level.
6. Revision History
Version Number | Revision Date | Revision Summary |
00 | NA | Original |
7. Glossary of Terms
Term | Meaning |
Employee(s)
|
All those employed or engaged in any capacity by Velocity. For the purposes of this policy, the word Employees extends to include the following categories: Board Members, Employees (full time, fixed term, part time and temporary), Contract workers, applicants and pensioners. |
Controller
|
A Controller is a person or organization that determines the purposes for which, and the manner in which, any Personal Data are processed, establishing practices and implementing policies in line with applicable data protection law. |
Data Protection
|
This term refers to the relationship between the processing of Personal Data, the associated expectations of privacy and the legal protection surrounding them. |
Data Subject
|
The individual to whom Personal Data relates such as an employee, client, contact person with a business partner, etc. |
Data Protection Authority
|
The Data Protection Commission is the supervisory authority/regulator responsible for enforcing Data Protection Law and upholding the data protection and privacy rights of Data Subjects in relation to the Processing of their Personal Data. |
Personal Data
|
Personal Data means any information (or a combination of information) from which a living person can be directly or indirectly identified as well as information containing statements about a person (e.g., Name, salary information, marital status, sick leave dates) |
Personal Data Breach | This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. |
Processing
|
Processing is any activity which involves the use of Personal Data. It includes i.e. obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on Personal Data including organizing, amending, retrieving, using, disclosing, erasing or destroying data. Processing also includes sharing or transferring Personal Data to third parties and accessing of Personal Data held by a Controller or Processor. |
Processor | A Processor is any organization or external person that processes Personal Data on behalf of and/or on instruction of a Controller. |
Special Categories of Personal Data | As defined in data protection law, e.g. Art. 9 GDPR: Personal Data that are related to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or sexual life/orientation, biometric data for the purpose of uniquely identifying a natural person and/or genetic data. |
Document Title | Privacy Notice - HR -- Employee |
Document # | FORM GEN-001 |
Revision # | 00 |
Effective Date | 15 Apr 2024 |
Privacy Notice for Employees
This document informs you about the processing of your personal data by your employer, Velocity Clinical Research. Velocity Clinical Research is the Data Controller of your personal data.
Purposes of the data processing, personal data and legal basis
We process your personal data solely for employment (onboarding, throughout employment, and during termination) related to your role and function in our company and for our legitimate business interests. These include:
Purpose | Personal data categories | Legal basis |
Personnel management (e.g. maintenance of employee files), onboarding, external communication | Basic employee data (e.g. name, gender, nationality, private address and contact information, employee number and IDs, position, information on work equipment, contract data, social security number, work permits, insurance data)
|
Performance of (temporary or permanent) employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR) |
Quality management and tracking of personnel actions | Basic employee data, information on specific actions (e.g. participation in internal processes, actions taken in clinical studies, shift planning) | Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or or Art. 6 (1) (b) GDPR); legitimate interests of keeping high quality standards in the company (in the EU: Art. 6 (1) (f) GDPR)
|
Payments and accounting (including payroll accounting, payment of wages and salaries, financial accounting, tax withholdings, personnel cost planning and budgeting)
|
Basic employee data, payment data (e.g. salary and payments, loans and advances, bonuses, national insurance number, banking data, travel expense data) | Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act or Art. 6 (1) (b) GDPR) |
Pensions management
|
Name, contract data (e.g. on termination of employment, position), pension and social security data (e.g. salary, special payments, absences).
|
Fulfilment of legal duties (in the EU: Art. 6 (1) (c) GDPR). |
Employee time management (including organization of absences, planning and recording of working hours and vacation time, parental leaves)
|
Basic employee data and time management data (e.g. working hours, holiday and other absences, parental leave, sick leave, family medical leave) | Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act) |
Performance reviews, internal talent management | Basic employee data and performance data (e.g. training data, performance reviews, metrics, roles, supervisor name) | Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act); internal talent acquisition is based on legitimate interests to keeping high quality standards in the workforce
|
Training and development | Basic employee data and training data (e.g. training events, training history, skills assessment results) | Performance of employment contract (e.g. in Germany: Sec. 26 (1) of the Federal Data Protection Act)
|
Recording work incapacity | Basic employee data and incapacity data (e.g. on work accidents, examinations, emergency contact information) | Fulfilment of employment-related duties (e.g. in Germany: Sec. 26 (3) of the Federal Data Protection Act)
|
IT security and improvement | Name, technical data (e.g. employee ID, laptop ID and configuration, laptop security alerts, login data) | Legitimate interests in keeping the IT infrastructure secure (e.g. in the EU: Art. 6 (1) (f) GDPR)
|
Legal claims and disputes management | Name, claims-related information (e.g. information on disciplinary actions, breaches, warnings) | Legitimate interests (in the EU: Art. 6 (1) (f) GDPR, or in case of special categories of personal data: Art. 9 (2) (f) GDPR |
In limited cases, we will rely on your consent, e.g. for publication of your photo or keeping lists on anniversaries and birthdays (in the EU: Art. 6 (1) (a) GDPR).
Recipients
We only transfer data to third parties if this is necessary or if there is a legal basis. Categories of third parties that may receive or be able to access your data include:
- Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
- Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU employee data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
- Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private.
Source and categories of data
We process the data you provide us. We may also receive data about you from third parties:
- Via the tax office: wage tax-relevant data (such as: marital status, child allowances)
- Via your health insurance company (electronic certificate of incapacity for work, if applicable, information on children's sick pay or maternity protection)
- Courts/creditors (in the case of garnishments or legal inquiries)
Retention periods
The data we collect about you will be deleted as soon as it is no longer required for the performance of the employment relationship, or the employment relationship has been terminated and there are no statutory retention periods to the contrary. Retention periods result from tax law, labour law and social security law regulations and generally extend up to 10 years.
Provision of data
You must provide us with the personal data that is necessary for us to be able to perform the contract with you and which we are legally obliged to collect. Without providing this mandatory information, we may not be able to enter into or maintain an employment relationship with you.
Your rights as a data subject
As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:
- Right to be informed, Art. 15 GDPR
- Right to rectification, Art. 16 GDPR
- Right to erasure, Art. 17 GDPR
- Right to restriction of processing, Art. 18 GDPR
- Right to data portability, Art. 20 GDPR
- Right to object, Art. 21 GDPR
- Right not to be subject to an automated decision, Art. 22 GDPR
If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.
Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.
Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
If you have any questions about your rights and how to exercise them, please contact Human Resources or Velocity Clinical’s Privacy Officer at privacy@velocityclinical.com.
Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany
Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com
1. Revision History
This data protection notice is updated from time to time. You will always find the latest version on our intranet.
Version Number | Revision Date | Revision Summary |
00 | 15 APR 2024 | Original |
Document Title | Privacy Notice - Non HR - Data protection information for business partners or contact persons at our business partners |
Document # | FORM GEN-002 |
Revision # | 00 |
Effective Date | 15 Apr 2024 |
Privacy Notice for business partners or contact persons at our business partners
Purpose of the data processing
We process your personal data for the following purposes:
- Establishment of professional contact and communication
- Maintaining business relations and implementing contracts between us and your employer or client
Legal basis
We process your data for our legitimate interests as stated above (Art. 6 Para. 1 Letter f GDPR). These are the performance of the contract and the maintenance of the business relationship with you or your employer/client. Insofar as we process personal data beyond this, this is based on your consent (Art. 6 Para. 1 Letter a GDPR).
Categories and sources of personal data
We process the following information about you: Name, gender, title, professional contact data, professional position, employer, financial data, information on previous communication. If you have voluntarily provided us with additional data, we may also have stored this data. If you have not provided us with your data yourself, we have received it from your employer or another business partner.
Recipients
We only transfer data to third parties if this is necessary or if there is a legal basis. Categories of third parties that may receive or be able to access your data include:
- Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
- Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
- Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private.
Source and categories of data
We process the data you provide us. We may also receive data about you from third parties:
- Your employer when we are in business contact.
Retention periods
The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods.
Your rights as a data subject
As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:
- Right to be informed, Art. 15 GDPR
- Right to rectification, Art. 16 GDPR
- Right to erasure, Art. 17 GDPR
- Right to restriction of processing, Art. 18 GDPR
- Right to data portability, Art. 20 GDPR
- Right to object, Art. 21 GDPR
- Right not to be subject to an automated decision, Art. 22 GDPR
If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.
Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.
Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities is responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany
Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com
1. Revision History
This data protection notice is updated from time to time. You will always find the latest version on our intranet.
Version Number | Revision Date | Revision Summary |
00 | 15 APR 2024 | Original |
Document Title | Privacy Notice - Non HR -- Patients Recruitment Database |
Document # | FORM GEN-003 |
Revision # | 00 |
Effective Date | 15 Apr 2024 |
Privacy Notice for Patient Recruitment
Purpose of the data processing
We process your personal data for the following purposes:
- building up and maintaining a database of potential participants for future studies
- information of potential participants about studies that might be relevant for them
Legal basis
We process your personal data with your consent (Art. 6 para. 1 letter a GDPR) and to comply with legal and official requirements (Art. 6 para. 1 letter c GDPR).
Categories of personal data
We process the following data about you: Name, address, gender, contact data, date of birth, marital status, health data.
Recipients
We only transfer data to third parties if this is necessary or if there is a legal basis. Categories of third parties that may receive or be able to access your data include:
- Contractors we hire for specific support services, such as IT service providers, consultants, and external accounting or legal support. All such entities are strictly bound by confidentiality agreements not to use your data for any purpose other than the work we assign to them, and to keep your data private.
- Other Velocity Clinical Research business entities. This data remains within the Velocity group, but may involve international data transfer to the USA, where the Velocity headquarter is located. Many of our corporate shared services, such as HR, finance, and IT service provision are located in the USA, and EU data will therefore be accessible to individuals residing in the USA who are part of those functions. Data will only be transferred or disclosed to the extent necessary for this purpose and in compliance with the relevant data protection regulations. Velocity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Velocity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
- Clients, to the extent that they may need data about staff at sites where their trials are operating. Contracts with clients also include confidentiality agreements requiring them not to use your data for any purpose other than the work we assign to them, and to keep your data private.
Retention periods
The personal data are stored for as long as they are necessary for the above-mentioned purposes. If your contact details are processed in connection with invoices, we will store them in accordance with the statutory retention periods. We will only store your data for as long as you do not revoke your consent. As soon as you withdraw your consent, we will delete this data from our patient database.
Your rights as a data subject
As a data subject you are entitled to the following rights, provided that the legal requirements are fulfilled:
- Right to be informed, Art. 15 GDPR
- Right to rectification, Art. 16 GDPR
- Right to erasure, Art. 17 GDPR
- Right to restriction of processing, Art. 18 GDPR
- Right to data portability, Art. 20 GDPR
- Right to object, Art. 21 GDPR
- Right not to be subject to an automated decision, Art. 22 GDPR
If the processing is based on your consent, you have the right to revoke this consent to process the data at any time with effect for the future. Insofar as the data processing is based on legitimate interests, you have the right to object to this processing of the data. For this, there must be legitimate reasons arising from your particular situation. You also have the right to lodge a complaint with the data protection supervisory authority regarding the data processing.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Velocity commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Velocity at: privacy@velocityclinical.com.
Velocity is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) regarding personal data received or transferred pursuant to DPF.
Under certain circumstances, you may invoke binding arbitration for complaints regarding DPF compliance when other dispute resolution procedures have been exhausted.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Velocity shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Responsible entity and the data protection officer
Velocity Clinical Research Germany GmbH on behalf of all EU/UK entities responsible for this data processing.
Velocity Clinical Research Germany GmbH
Rosa-Luxemburg-Str. 20
04103 Leipzig
Germany
Additionally, the Velocity Clinical Data Protection Officer can be contacted at:
fox-on Datenschutz GmbH,
Pollerhofstraße 33a, 51789 Lindlar, Germany.
Email address: dsb+vel@fox-on.com
1. Revision History
This data protection notice is updated from time to time. You will always find the latest version on our intranet.
Version Number | Revision Date | Revision Summary |
00 | 15 APR 2024 | Original |
Document Title | Velocity Privacy Notice for California Residents |
Document # | FORM GEN-012 |
Revision # | 00 |
Effective Date | 06 Sep 2024 |
VELOCITY PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
This Privacy Notice for California Residents (“Notice”) supplements the information contained in the Velocity Clinical Research, Inc. (“Velocity”) privacy policy and applies to visitors and users who reside in the State of California (“consumers” or “you”). We provide this notice in compliance with the California Consumer Privacy Act of 2018 (CCPA). Certain terms in this Notice are defined by the CCPA and their meanings may differ from the meanings that apply elsewhere on our websites.
Notice Scope
This Notice applies to your use of publicly available Velocity resources available via the internet, which include but are not limited to: VelocityClinicalTrials.com; Vision Engage; Vision Recruit; (each item is a “Velocity Website or Application”).
Personal Information Velocity May Collect
By using a Velocity Website or Application, you may provide Velocity with information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you, your household, or your device (“personal information”). Please review the privacy policy associated with the Velocity Website or Application you use to review the personal information you may provide to Velocity during your use.
In particular, Velocity has received the following categories of personal information from users of Velocity Websites or Applications within the last 12 months.
Categories of Personal Information | Specific Types of Personal Information Collected |
Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers) | - Real name
- Alias - Postal address - Internet Protocol Address - Email address
|
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. | - Name
- Signature - Social security number - Physical characteristics - Driver’s license - Telephone number - Education - Employment - Employment history - Gender - Language - Race - Ethnicity |
Characteristics of protected classifications under California or federal law. | - Sex
- Race - Age - Ethnicity - Sexual Orientation - Marital Status - National Origin |
Biometric information | - Fingerprint
- Face ID |
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement) | - Browser history
- Search history |
Geolocation data | - Geolocation data |
Audio, electronic, visual, thermal, olfactory, or similar information | - Text messages
- Emails - Phone messages |
Professional or employment-related information | - Employer
- Profession |
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes | - Behavioral Tracking
- Pixels/cookies/beacons |
Racial or ethnic origin, religious or philosophical beliefs, or union membership | - Race
- Ethnicity |
Processing of biometric information for the purpose of uniquely identifying a consumer | - Fingerprint ID
- Facial Recognition |
Health information | - Health history
- Immunization history - X-rays and imaging - Medical Conditions - Current Medications - Primary Care Physician - Height and weight - Birth control methods |
Sex life or sexual orientation | - Sexual orientation |
Potential Sources of Personal Information
How Your Personal Information is Collected. We collect personal information from the following categories of sources:
- You, directly in person, by telephone, text, or email and/or via our website and apps
- Third party with your consent (e.g., your bank)
- Advertising networks
- Internet service providers
- Data analytics providers
- Government entities
- Operating systems and platforms
- Social networks
- Data brokers
- Publicly accessible sources (e.g., property records)
- Cookies on our website
- Our IT and security systems, including:
- Door entry systems and reception logs
- Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email, and instant messaging systems
How and Why We Use Your Personal Information. Under data protection laws, we can only use your personal information if we have a proper reason for doing so, for example:
- To comply with our legal and regulatory obligations
- For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable
- For our legitimate interests or those of a third party –or–
- Where you have given consent
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and our reasons for doing so:
What we use your personal information for | Our reasons |
To provide services to you | For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable |
To prevent and detect fraud against you or Velocity Clinical Research, Inc. | For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you |
Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator | To comply with our legal and regulatory obligations |
Gathering and providing information required by or relating to audits, inquiries or investigations by regulatory bodies | To comply with our legal and regulatory obligations |
Ensuring business policies are adhered to, e.g., policies covering security and internet use | For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you |
Operational reasons, such as improving efficiency, training, and quality control | For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you |
Ensuring the confidentiality of commercially sensitive information | For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information
To comply with our legal and regulatory obligations |
Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures | For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you |
Preventing unauthorized access and modifications to systems | For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you
To comply with our legal and regulatory obligations |
Updating and enhancing clients and participants’ records | For the performance of our contract with you or to take steps at your request before entering into a contract, if applicable
To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our participants about existing orders and new products |
Statutory returns | To comply with our legal and regulatory obligations |
Ensuring safe working practices, staff administration and assessments | To comply with our legal and regulatory obligations
For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you |
Marketing our services and those of selected third parties to:
|
For our legitimate interests or those of a third party, i.e., to promote our business to existing and former clients and participants |
External audits and quality checks, e.g., Sponsor audits; financial audits | For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
To comply with our legal and regulatory obligations |
Who We Share Your Personal Information With. We routinely share personal information with:
- Our affiliates, including companies within the Velocity Clinical Research, Inc.’s group
- Service providers we use to help deliver our services to you, such as payment service providers, warehouses, and delivery companies
- Other third parties we use to help us run our business, such as marketing agencies or website hosts
- Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers
- Credit reporting agencies
- Our insurers and brokers
- Our bank
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Beyond the data collection and use as specifically set forth herein, Velocity does not sell data to third parties.
Categories of Personal Information We Disclosed for a Business Purpose. In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:
- Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers)
- Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
- Characteristics of protected classifications under California or federal law
- Biometric information
- Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement)
- Geolocation data
- Audio, electronic, visual, or similar information
- Professional or employment-related information
- Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes –and–
- Sensitive personal information
You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:
Disclosure of Personal Information We Collect About You | You have the right to know, and request disclosure of:
Please note that we are not required to:
|
Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose | In connection with any personal information we may sell, share, or disclose to a third party for a business purpose, you have the right to know:
You have the right to opt-out of the sharing of your personal information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sharing of your personal information, we will refrain from sharing your personal information, unless you subsequently provide express authorization for the sharing of your personal information. To opt-out of the sharing of your personal information, visit our homepage and click on the Do Not Share My Personal Information link here: https://velocityclinicaltrials.com/opt-out-preferences/ |
Right to Limit Use of Sensitive Personal Information | You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to:
You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. To limit the use of your sensitive personal information, visit our homepage and click on the "Limit the Use of My Sensitive Personal Information" link here: https://velocityclinicaltrials.com/opt-out-preferences/ |
Right to Deletion | Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:
Please note that we may not delete your personal information if it is reasonably necessary to:
|
Right of Correction | If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information. |
Protection Against Retaliation | You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things:
Please note that we may charge a different price or rate or provide a different level or quality of services To you, if that difference is reasonably related to the value provided to our business by your personal information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of personal information, the sale of personal information, or the retention of personal information. |
How to Exercise Your Rights. If you would like to exercise any of your rights as described in this Privacy Policy, you can do so here: https://velocityclinicaltrials.com/opt-out-preferences/ You may also contact us via email at info@velocityclinical.com.
- Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.
- If you choose to contact us directly by email you will need to provide us with:
- Enough information to identify you (e.g., your full name, address and customer or matter reference number)
- Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill) –and–
- A description of what right you want to exercise and the information to which your request relates
- We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf.
- Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.
- We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete a transaction for which we collected the personal information, provide something that you requested, take actions reasonably anticipated within the context of our ongoing relationship with you, or fulfill any legal obligations we may have.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- We do not provide these deletion rights for personal information (including health information) that is stored or otherwise used by healthcare systems or other Covered Entities (as that term is defined in HIPAA). Contact your healthcare system(s) if you have questions about these rights with respect to information about you that is stored or otherwise used by them.
How to Contact Us. Please contact us or our Data Protection Officer by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.
Our contact details are shown below:
Our contact details | Brandi Lang, Privacy Officer |
contact address | 300 E. Main Street, Suite 300
Durham, NC 27701
|
contact email address | privacy@velocityclinical.com |
contact telephone number | 919-926-1804 |