This privacy policy is in effect starting May 25, 2018 and was most recently updated November 21, 2022.
Introduction
Your privacy is very important at DFnet. You should feel confident that your personal information is both protected and respected and only used for the purposes outlined below. We aim to always follow all current laws and regulations for data protection.
All personal data processed in the context of your relationship with DFnet is used to provide, perform, and improve the services that we provide you. Information about you is directly or indirectly disclosed by you or by your company in a variety of ways, including:
- Registering for an account on our website.
- Joining our DFUG mailing list.
- Registering for services such as webinars, conferences, and trainings.
- When you contact our support team to access DFnet services.
Privacy and Security Measures
We use a variety of technical and organizational security measures to protect your information. This includes routine employee training and instruction on how to handle all personal data to adequately meet current laws and regulations.
We never give, share, sell, or transfer any personal information to a third party beyond our DFnet companies, other than subcontractors performing activities directly related to providing support and delivering our services to you or clinical investigators responsible for studies in which you have enrolled.
Data We Collect
We collect personal data on our websites, through social media, and through financial records:
Websites: Our websites use cookies for general tracking purposes and for data analytics to help us improve our website’s performance and content. If you sign up for the DFUG mailing list, a website account, or request more information through one of our contact forms, we may obtain information such as name, address, telephone number, email address, and other information needed to provide the information you request.
We may use our website to post andprocess notices for webinars, trainings, and user group conferences. We collect contact information, including name, address, telephone and email address to provide these services to you. Credit card information is processed through a third party and is not retained by DFnet.
Social Media: If you follow, contribute to a discussion, or like us on one of our social media sites, your name and links to details that you have disclosed as part of your membership may be visible to others who use the site.
Financial Records: Our internal accounting system stores the official company name, contact person, and billing address of each customer, and contains a list of usernames and emails in order to generate updates, invoices, quotes, and licenses.
Why We Collect This Data
We collect this information solely to provide the services requestedby you or your employer. For example, if you sign up to the DFUG mailing list, or request an account on our website, we need your email address, and potentially other information, to provide those services. The same is true for support requests or other inquiries. We need basic personal information to deliver the services requested.
We may pool data together for statistical reasons to improve and develop our operations, website, products, and services. We also use third party cookies from trusted providers such as Google Analytics, including analysis of usage, to help us improve our website.
We may also collect data to fulfill a DFnet legal obligation as outlined by our contract with your organization, for example, a name and address for invoice remittance.
California Consumer Privacy Act (CCPA)
DFnet does not sell or share any information collected on individuals registering for an account on our website, joining our DFdiscover User Group (DFUG) mailing list, registering for services such as webinars, conferences, and trainings, or when contacting our support team to access DFnet services. We delete this information upon request as required by the California Consumer Privacy Act of 2018. The only potential impact of such requests is directly related to services we provide. We need an email address in order to include you on DFUG emails or online training events, and we need a name in order to register you as an attendee at a DFdiscover User Group Meeting. If your employer uses a DFdiscover server that we manage, we also need to store your name in order to give you access to DFexplore, DFsetup or DFadmin as authorized for study management according to applicable SOPs and to ensure that the system creates audit trails which meet the requirements of 21 CFR 11. Storing an email address along with your name on a DFdiscover server allows you to reset your password without administrative assistance if you ever forget it, but you may opt out of this feature if you want to.
Other State Laws
Both Virginia and Colorado have passed privacy laws which take effect in 2023 and apply to companies which control or possess the data of 100,000 or more state residents. Because DFnet does not control or possess the data of that many people in either state, these laws will not apply to us. However, we remain committed to the privacy of every human being wherever they live and are always working actively to protect the data we manage.
Your Rights
You have the right to request information about any personal information relating to you thatis held by us as a data controller, free of charge once a year, regardless of how this information is gathered. Requests for such information must be made in writing to:
DF/Net Research, Inc.
140 Lakeside Ave, Ste 310
Seattle, WA 98122 USA
Corrections and Objections
If your personal data is handled in opposition to current laws relating to personal data, you have the right to ask that the personal data be provided, corrected, blocked or deleted.
You also have the right to recall your personal data at any time. Note however, that a recall of this type will mean that you may no longer be able to use the related DFnet services. For example, if you opt out of the DFUG mailing list, you will no longer be able to receive those emails automatically from the system. Please note that that you may have access to DFnet services as part of your employment with an organization that has an agreement with DFnet. For example, if you are the person that receives new licenses, and request that your personal information no longer be used, your organization may stop receiving new licenses as expected.
If you object to the way in which we are processing your data, you need to specify what your objections are. If we claim legitimate interest in spite of your objection, we need to prove that our needs to process your personal data override your rights. If the data are processed due to direct marketing you always have the right to object.
Right to be Forgotten
DFnet saves data only as long as it is needed. When the purpose of the processing of your personal data has been fulfilled,we will delete the data. For example, when you unsubscribe to the mailing list, or ask to be removed as a website user, we delete that data.
We store statistics from the traffic data to our website for the purpose of improving our website services. To limit damage to and protect you from internet fraud, we save IP addresses so that we can search, block, and delete addresses and messages to prevent the spread of viruses, spam, and trojans.
Email conversations with DFnet Support may be stored to track common problems and solutions, and to aid in solving other client support questions. Support information is not externally shared across clients, unless authorized by the client.
Clinical Data
DFnet manages data collection systems for contracted clients performing clinical research. The DFdiscover servers we manage contain data collected for clinical trials conducted in various countries and regions throughout the world. Concerted efforts are made to collect only de-identified data in these databases, but there are instances in which adverse event management or unique study needsrequire us to collect information specific enough to identify an individual. Complete details for each trial are provided within the informed consent documents signed by each study participant prior to enrollment.
While a study participant may withdraw consent at any time and have their data deleted from a clinical database, there is no logical way to remove all traces of any individual from a system audit trail without impacting the integrity of the audit trail itself in violation of 21 CFR 11 (USA) and similar regulations in other jurisdictions. It is also impossible to remove a single individual’s data from system backups without degrading our ability to recover from equipment failures, fires, floods, or other catastrophic events. Existing laws provide specific exceptions to resolve this conflict. For example, Article 89, Paragraph 3 and Recital 159 of GDPR provide an exception for Clinical Research, considering public need, which exempts us from removing an individual’s data from audit trails or previously created backups.
HIPAA
DFnet is not a covered entity under HIPAA butdoes occasionally function as a Business Associate for specific projects. Our staff update their HIPAA training regularly and we sign Business Associate agreements when applicable.
Special Considerations for the European Union
We recognize that US President Biden recently signed an executive order intended to implement anew agreement with the European Union (sometimes referred to as “Privacy Shield 2”) that limits data collection by US Intelligence agencies and creates a Civil Liberties Protection Officer (CLPO)responsible to approve specific requests based on defined, limited criteria. This plan allows anyone who objects to US access to their data to appeal decisions of the CLPO to a Data Protection Review Court (DPRC). It remains to be seen if the European Court of Justice will accept this framework, and we will amend this privacy policy once the full impact of this effort is understood. In the meanwhile, DFnet will continue to transfer data out of the European Union only as allowed by the General Data Protection Regulation (GDPR) as specified incontractual agreements with our clients.
Other National Laws
Because we have a significant presence in these nations, we pay particular attention to the Protection of Personal Information Act (POPIA)in South Africa and India’s IT act, which requires that companies maintain “reasonable security practices and procedures.”We note that, in 2012, the supreme court of India unanimously ruled that the right to privacy was an intrinsic element of the promise of the right to life and personal liberty protected under Article 21 of the Indian constitution. However, we believe that people everywhere have a right to maintain the privacy of their personal data and control how it is used, and we recognize that most nations have laws intended to support these rights. Therefore, DFnet works with our clients, wherever they collect data, to document organizational and technical controls and add standard contractual clauses to contracts as needed to meet applicable privacy requirements.
How to Contact Us
DFnet acts both as data controller and processor under General Data Protection Regulation (GDPR) but is only responsible for personal information access requests in its role as a controller. Requests for information about, corrections to, or deletion of your data should be sent in writing to:
DF/Net Research, Inc.
140 Lakeside Ave, Ste 310
Seattle, WA 98122 USA
We regularly review and update this Privacy Policy. If there are any changes to this Privacy Policy, we will post them on our website so that you are completely aware of how the changes will affect you.
