RQM+ Acting as a Data Processor

INTRODUCTION

RQM+ is committed to protecting the privacy and security of personal data that we process on behalf of other organizations (the “Controller”). This Privacy Policy explains how we, as a Data Processor under the EU-UK-GDPR and Swiss General Data Protection Regulation , process personal data strictly in accordance with our contractual obligations and the Controller’s instructions.

ROLE AS DATA PROCESSOR

We act as a data processor for our clients, who are the data controllers responsible for determining the purposes and means of the personal data processing. Our processing activities are governed by a Data Processing Agreement (DPA) or other contractual arrangements. We do not control or own the personal data that we process on behalf of our clients.

ENGAGING ANOTHER PROCESSOR

RQM+ shall not engage another Processor without prior written authorization of the Controller. RQM+ shall inform the Controller of any intended additions/replacements of other Processors so the Controller has the opportunity to object to such changes. If another Processor is engaged, the same contractual obligations between the Controller and RQM+ are required of other Processors as specified in a binding contract or other legal act, and the initial Processor remains fully liable for any failure to meet obligations under that contract.

TYPES OF PERSONAL DATA PROCESSED

As a Processor our clients will be providing RQM+ Pseudonymized data produced from certified Clinical Trials platforms used to collect Personal data and utilizing technology designed to create Pseudonymized data.

• What is Pseudonymized Data?
  Pseudonymized data refers to personal data that has been processed in such a way that it can no longer be attributed to a specific individual without the use of additional information. This additional information is kept separately and is subject to strict technical and organizational controls to ensure the data cannot be re-identified.
• Examples of pseudonymized data include:
  • Unique identifiers (e.g., pseudonyms or codes) that replace identifiable information.
  • Data processed for research, statistical, or analytical purposes with direct identifiers removed.
• Purposes of Processing Pseudonymized Data
  We process pseudonymized data for the following purposes:
  • Research and analytics to improve our services.
  • Compliance with legal or regulatory requirements.
  • Enhancing security and preventing unauthorized access to sensitive data.
  • Supporting anonymized reporting for business insights.

We ensure that pseudonymized data is used only for legitimate and clearly defined purposes.

Lawful Basis for Processing

RQM+ shall process personal data in accordance with all applicable laws and contractual obligations, and will not process personal data unless at least one of the following six requirements are met:

• Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes;
• Contract: The processing is necessary for the performance of a contract the data subject is party to, or to take steps requested by the data subject prior to entering into a contract;
• Legal obligation: The processing is necessary for compliance with a legal obligation;
• Vital interest: The processing is necessary to protect the vital interests of the data subject or of another natural person;
• Public task: The processing is necessary for the performance of a task carried out in the public interest or in exercising official authority vested in RQM+ ;
• Legitimate interest: Processing is necessary for the legitimate interests of RQM+ or a third party, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Some circumstances allow personal data to be further processed for purposes beyond the original purpose for which the data was collected. When determining the compatibility of a new processing purpose, guidance and approval shall be obtained from the DPO before any such processing occurs. RQM+ shall consider the following to determine if further processing is for a purpose that is compatible with the original purpose:

• Any link between the purpose for which the personal data was collected and the reasons for intended further processing;
• The context in which the personal data has been collected, particularly the relationship between data subjects and the Controller;
• The nature of the personal data, particularly whether special categories of data, or personal data related to criminal convictions and offenses are being processed;
• The possible consequences of the intended further processing for the data subject; and
• The existence of appropriate safeguards for further processing, which may include encryption, anonymization or pseudonymization.

SPECIAL CATEGORIES OF DATA

RQM+ will only process special categories of data where the data subject explicitly consents to such processing or where one of the following conditions apply:

• The processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is incapable of giving consent;
• The processing involves data that has already been made public by the data subject;
• The processing is necessary for the establishment, exercise or defense of legal claims
• The processing is specifically authorized or required by law or for a judicial process; and
• Personal data is processed under the obligation of professional secrecy under law or rules established by national competent bodies (e.g., HIPAA).         

In any case where special categories of data are to be processed, prior approval shall be obtained from the DPO and the purpose for processing clearly recorded with the related personal data. When processing such data, RQM+ shall also adopt additional technical and organizational data protection measures.

Processing of personal data relating to criminal convictions and offenses shall be performed only under the control of official authority or when the processing is authorized by law and additional data protection measures are adopted to protect the rights and freedoms of data subjects.

• How We Ensure the Security of Pseudonymized Data
  We implement robust technical and organizational measures to safeguard pseudonymized data, including:
  • Data encryption and secure storage of pseudonymization keys separately from the pseudonymized dataset.
  • Access controls to limit access to authorized personnel only.
  • Regular security audits and testing to identify and address vulnerabilities.
  • Policies and procedures for securely managing and deleting pseudonymized data when no longer needed.
• Retention Period
  Pseudonymized data will be retained for as long as necessary to fulfill the purposes outlined in our contracts with the Data Controller, or as required by law. After the retention period, pseudonymized data will be securely deleted or further anonymized.

Sharing and Disclosure of Pseudonymized Data

• We do not share pseudonymized data with third parties unless:
  • You have provided explicit consent.
  • It is necessary for fulfilling a contractual obligation.
  • We are legally required to disclose data.
  • We engage trusted service providers to process data on our behalf, subject to strict contractual safeguards.

We will only disclose personal data to:

• Authorized Sub-processors: Third parties engaged by us to assist in providing services to the Controller, such as platforms used in clinical trials. All sub-processors are subject to written agreements that bind them to data protection obligations comparable to those in our agreement with the Controller. We ensure that third parties adhere to GDPR standards when handling pseudonymized data.
• Legal or Regulatory Authorities: Only as required by law or a valid court order, and where feasible, we will promptly inform the Controller before disclosing data.

DATA SECURITY

We prioritize the confidentiality, integrity, and availability of your personal data. Our security measures are designed according to the NIST Cybersecurity Framework and include:

• Identify: Regular assessments of systems and assets to manage cybersecurity risks.
• Protect: Deployment of encryption, firewalls, and access controls to safeguard data.
• Detect: Continuous monitoring and anomaly detection tools to identify threats.
• Respond: Established incident response plans for data breaches.
• Recover: Comprehensive disaster recovery and business continuity plans to ensure resilience.

These measures are regularly reviewed to meet evolving threats and comply with GDPR Article 32.

DATA STORAGE

• Location of Data Storage – Your personal data is stored on secure servers in the United States and/or the European Union. We ensure that these storage facilities comply with GDPR requirements for data security and protection.
• Cloud Storage Providers – If we use cloud storage services, these may involve data processing and storage in different regions. For example, some of our service providers may operate servers in the United States and/or the European Union. We only work with vendors that offer GDPR-compliant terms and ensure data security through encryption and access controls.

BREACH REPORTING

• Notification of Personal Data Breaches –If RQM+ becomes aware of a personal data breach, it will notify the relevant Controller without undue delay. Most Controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority (such as the ICO). RQM+ will also assist the Controller in complying with its obligations regarding personal data breaches.
  
• Notification of Potential Data Protection Infringements –RQM+ will notify the Controller immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws.
• Accountability Obligations –RQM+ will comply with GDPR accountability obligations, such as maintaining records and appointing a Data Protection Officer.

DATA DELETION

Best Practices used in our Data Deletion process;

• Audit and Inventory Data: Maintain an up-to-date inventory of stored data to ensure complete deletion when required.
• Document Deletion Processes: Keep records of data deletion, including methods used and the date of deletion, for accountability.
• Certify Deletion: Obtain certification or reports when using third-party services for data erasure.
• Periodic Testing: Regularly test deletion processes to ensure compliance and effectiveness.

DATA DELETION METHODS

Data that is no longer needed is securely deleted or anonymized. Several methods may be used to delete data depending of the storage technology, these include;

• Overwriting – Use certified software tools that comply with standards like NIST SP 800-88 Guidelines for Media Sanitization or ISO/IEC 27040.
• Encryption with Key Destruction – Encrypting data and securely deleting or destroying the encryption key, making the data irretrievable.
• Data Anonymization – Irreversibly modifying data to remove the ability to link it to individuals.
• Cloud Storage Deletion – Instructing cloud providers to delete data in compliance with GDPR, ensuring that data is removed from:
  • Active servers.
  • Backups and redundant systems.

DATA SUBJECT RIGHTS

As a data processor, we assist the Controller in fulfilling its obligations with respect to data subjects’ rights under the GDPR. If we receive any request from a data subject to exercise rights (such as access, rectification, erasure, etc.), we will promptly forward the request to the Controller. We do not respond directly to data subject requests unless expressly authorized by the Controller.

INTERNATIONAL TRANSFERS

RQM+ shall transfer personal data to a third country or an international organization only if the Controller or Processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.

RQM+ will provide the appropriate safeguards by one or more of the following:

• EU-U.S. Data Privacy Framework
• A legally binding and enforceable instrument between public authorities or bodies;
• Binding corporate rules;
• An approved code of conduct together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including data subjects’ rights; or
• An approved certification mechanism together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including data subjects’ rights.

Subject to authorization from the competent Supervisory Authority, RQM+ may also provide appropriate safeguards by:

• Contractual clauses between RQM+ and the Controller, Processor or recipient of the personal data in the third country or international organization; or
• Provisions inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

APPOINTING A REPRESENTATIVE WITHIN THE EUROPEAN UNION

Since RQM+ is based outside of the EU, offers services to individuals inside the UK and EU, but currently has offices inside the UK and EU, it is not necessary to appoint a representative in the EU. Should that change and RQM+ has no office in the EU, an EU representative may need to be appointed.

COOPERATION WITH SUPERVISORY AUTHORITIES

RQM+ will cooperate with supervisory authorities to help them perform their duties.

MAKING A COMPLAINT

Data subjects with a complaint about the processing of their personal data by the Data Controller or RQM+ (or third-party associates) have the right to lodge a complaint directly with the Controller or Supervisory Authority or RQM+ ’s DPO or delegate at [email protected].

If the complaint is made directly to RQM+ we will provide the Data Subject with the contact information of the appropriate Data Controller. RQM+ will assist the Data Controller or Supervisory Authority with any investigation of the complaint.

Updated April 2025