This Policy explains how and why Fondazione Penta Onlus (Penta) and any collaborators involved in Penta studies process (e.g. collect, use, store and share) personal data in the context of such studies, as well as protect individuals’ rights regarding personal data that we process. We will process any personal data in accordance with this Policy and with all applicable laws.
WHAT ARE PERSONAL DATA?
Personal data refers to information on an individual which enables the identification of the individual, such as name, address, gender, age/date of birth, etc.
In the European Union, the processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”) and by the national legislation of each Member State.
The types of personal data generally collected in observational and interventional studies include demographic information such as name, address, gender, date of birth, contact information and clinical and laboratory data.
In addition, and only if strictly necessary for study purposes (i.e., to guarantee the safety of patients in the study), other personal data related to racial or ethnic origin, lifestyle, etc. may be collected.
In accordance with GDPR, only data absolutely necessary for fulfilling study objectives can be collected.
WHO PROCESSES PERSONAL DATA?
In observational and clinical studies, both data controllers and data processors may process personal data. Data controllers are researchers and clinicians who determine the purposes and means of data processing, while processors act on behalf of data controllers in processing personal data.
Participating clinical sites, the Clinical Trial Unit (CTU) and Penta as Sponsor of the study, are joint-data controllers, which means that they are all responsible for the protection of the personal data collected. The Institution analysing the data is the data processor.
All joint-controllers and processors are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law.
Personal data can also be accessed by or transferred to any national and/or international regulatory, public body or court, where Penta is required to do so by applicable law or regulation or at their request.
WHY ARE PERSONAL DATA PROCESSED?
Processing personal data is essential to perform the studies and meet their objectives. If Penta or other researchers wish to process personal data for any objective other than those of the study the participating patient will be contacted to ask their consent.
Providing personal data is mandatory for participation in the study, but will not result in any consequences, ill-feeling or prejudice in the way the patient will be treated.
HOW ARE DATA PROCESSED?
Personal data will be processed electronically.
The physicians involved in the study will substitute patient name with a study specific code and will not provide the patient name to the Clinical Trials Unit or Penta. This study specific code will be sent with the information collected for the study and any biological sample (if collected), in order to exclude any possibility of identifying the patient.
Penta will store these data for the time necessary to pursue the purpose of the study.
Only anonymised data, meaning data that can no longer be linked to the patient, will be disclosed and disseminated, for example, in scientific publications and meetings.
HOW LONG WILL PERSONAL DATA BE KEPT FOR?
Penta will securely store personal data collected in the study for the maximum period permitted, according to the European Clinical Trial Regulation in its latest version, after the clinical trial completion. Clinical sites will securely store the key linking personal data to individual patients for the maximum period of time permitted by the clinical sites. For more detailed information please refer to study related Patient Information Sheet.
PROTECTION OF PATIENT’S RIGHTS
When patients contribute to a research study, their right to access, change or move collected personal data are limited, as Penta need to manage the information rigorously in order for the research to be reliable and accurate (GDPR art. 89, paragraph 2).
The patient can ask to correct any personal information which may have been erroneously collected and/or annotated in a study.
The patient can withdraw from the study at any time without explanation and may request to destroy any stored biological samples, but information which has already been collected will not be destroyed.
Patients wishing to raise a complaint about how Penta handled their personal data, can contact Penta as study sponsor at firstname.lastname@example.org, who will investigate the matter. If the patient is not satisfied with the response, they can complain to the Garante della Privacy (www.garanteprivacy.it).
Padova, 24th October 2018