AplusA Group commitments regarding protection of personal data
through its surveys
Effective as of April 2020
- Lawfulness of personal data processing as part of AplusA’s market research studies and surveys, and consent:
In accordance with Article 6 of the GDPR, AplusA only collects personal data if it obtains the freely given, specific and informed prior consent of the person contacted to respond to the market research study or survey, after having explained to that person the purpose of data collection in a clear, accurate and concise way.
AplusA will keep evidence of this consent for the period necessary for processing, generally the duration of the study and associated quality control activities.
AplusA undertakes to inform the person responding to the study of the origin of their data if this data comes from a contractor or customer rather than being directly generated by AplusA. The new European Regulation authorizes AplusA to reuse customer data for research purposes, as market research studies are categorized as scientific research.
- Nature of the personal data processed and duration of their storage
AplusA has made a commitment that personal data will not be stored longer than for the purpose for which they were collected or processed, with the application of clear provisions on retention periods.
If you have any questions related to the processing of your personal data, please refer to the section “Your rights” below.
- Minimization and anonymization of personal data
AplusA has made a commitment to reduce the impact of personal data collection by limiting and minimizing collection to the elements required for the purposes of the study, and by ensuring that this data is not used in a way that is incompatible with these purposes.
AplusA has also introduced procedures to guarantee that those participating in its studies do not experience any harm or injury as a direct result of their collaboration in the study, using anonymization techniques and by limiting access to personal data to field teams and study personnel working on the study in question.
Finally, AplusA undertakes to preserve the anonymity of the persons responding to its studies vis-à-vis the end customer by providing it only non-nominal aggregated or raw data, except where agreement and consent are given by the persons responding to the studies if pharmacovigilance obligations require AplusA to communicate their identities to the customer, or as part of transparency declarations (e.g. Sunshine Act in the USA).
- Sharing of personal data
4.1 External service providers:
In addition to the transfer of personal data to its internal teams, subsidiaries and IT teams, AplusA may use a supplier or subcontractor to perform certain services related to its activity and may therefore transfer personal data to it. AplusA selects its suppliers and ensures that they have the ability to comply with the directives and regulations related to the protection of personal data, and will transfer the personal data only if a commitment and agreement has been previously signed between this external service provider and AplusA.
4.2 International transfers
Personal data submitted through our studies resides on our servers located in our data center (Fiducial) in France.
AplusA’s legal entities outside the European Union have entered into intra-company data protection agreements using standard contractual clauses prepared by the European Commission. These agreements require the contracting parties to respect the confidentiality of your Personal Information and to handle European personal data in accordance with applicable European data protection laws. AplusA’s legal entities outside the European Union are the following:
AplusA – Building 3, Chiswick Park, 566 Chiswick High Road, London W4 5YA, UK
AplusA does not transfer any personal data outside the European Economic Area (EEA) unless a prior transfer agreement has been established with the entity receiving the personal data, and unless it has received guarantees that this entity has implemented measures offering the same level of security as that required by European regulations.
In any case, AplusA only transfers personal data outside the EEA after having obtained the consent of the persons responding to the studies.
4.3 Public bodies
AplusA may disclose personal data to public bodies, courts, administrative bodies or the administrative authority responsible for the protection of personal data if the law so requires or if it receives an order requiring it to do so.
- Sensitive data processing
Since AplusA processes only health data, AplusA undertakes to process these sensitive data in accordance with applicable regulations. In particular, AplusA is committed to treating on a case-by-case basis the requests for studies that, because of their type of processing, would expose respondents to AplusA’s studies to high risk.
In close consultation with the client and prior to their implementation, these studies will be the subject of an impact analysis to determine the proposed operations’ issues in terms of the protection of personal data. It has been decided that all non-interventional or observational studies will be the subject of an impact study.
This analysis will include at least:
- A systematic description of the processing operations envisaged and the purposes of the processing;
- An assessment of the necessity and proportionality of the operations with regard to the purposes;
- An assessment of the risks created by the processing;
- Measures to deal with these risks.
- Personal data concerning children
AplusA will not collect or process personal data about children under the age of 16 – or the legally required age defined by French law or by the applicable law – without the prior permission of the parent(s) or legal guardian(s).
- Your rights:
Under the applicable law, you have the following rights:
- Access to personal data: We will make available to you the personal data about you in our custody or control that we have collected, used or disclosed, upon your written request, to the extent required and/or permitted by law.
- Rectification of your personal data: If you think that your personal data is inaccurate, you can ask for their rectification.
- Erasure of your personal data: If you believe that AplusA no longer requires to process your personal data, you can ask for their erasure from our databases.
- Restriction of the processing of your personal data: If you believe that the processing of your personal data is either inaccurate or unlawful, you can ask or the restriction of this processing. AplusA will then only store this data and no longer process them in any other way without your consent.
- Opposition to the processing of your personal data: If you previously consented to the processing of your personal data by AplusA, you have the right to object this processing of your data on grounds relating to your particular situation and at any time.
- Deciding of the processing of your personal data after your death: At any times, you or a person you designated can inform AplusA of your decision about the processing of your personal data after your death, whether this is the erasure, the conservation or the communication of these data.
To exercise any of these rights related to the personal information that we may hold about you, we require that you submit your request in writing to firstname.lastname@example.org. When we receive an access request from an individual, we will attempt to fulfil the requested information within 30 days.
In certain situations, however, we may not be able to give individuals access to all or some of their personal data. If we deny an individual’s request for access to their personal data, we will advise the individual of the reason for the refusal.
- Dedicated team, training and internal tools
8.1 Internal tools
In accordance with regulatory requirements, AplusA maintains specific internal documentation:
- Documentation relating to the processing of personal data: the processing register, impact assessments carried out, the management of non-EEA transfers or contractual clauses;
- Documentation relating to information to persons: information statements given to the person whose data were collected, the form for the collection of the consent of the persons, the procedure put in place for the exercise of the rights of persons (right of access, modification etc.);
- Contracts defining the roles and responsibilities of each actor: contracts with subcontractors.
AplusA has launched a training and awareness programme for all its teams on the new European regulation on the protection of personal data.
8.3 Dedicated team
AplusA has set up an internal team dedicated to the protection of personal data, headed by the Data Protection Officer, the Quality Manager and the Head of IT.
The security of your personal data is very important to us. We have put in place reasonable physical, electronic, and administrative procedures to safeguard the information AplusA collects. Access to your personal data is granted only to those employees who require it in order to perform their duties.
AplusA has implemented security protocols to control risks, as described in an AplusA technical protocol, notably through the use of an encrypted, secure messaging service for sending and receiving personal data files. This protocol complies with internationally recognized standards and is regularly examined and updated if necessary.
- Changes to this policy