EU-US Privacy Shield Policy

EU-US Privacy Shield Policy

Last Updated: September 30, 2017


SynteractHCR, Inc. (SynteractHCR) participates in and complies with the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries and from Switzerland.  SynteractHCR has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. If there is any conflict between the policies in this SynteractHCR EU-US Privacy Shield Policy (“Privacy Shield Policy”) and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program please visit the Department of Commerce’s dedicated Privacy Shield website, located here, and to view our certification page, please visit

Privacy Shield Privacy Policy

SynteractHCR is committed to protecting your privacy. This privacy policy (the “Policy”) sets out the privacy principles which SynteractHCR follows with respect to transfers of personal data from the European Union (EU) to the United States including personal data relating to employees, customers, business partners as well as the personal information of healthcare professionals and clinical study participants where SynteractHCR is providing services to its customers as a Clinical Research Organization.  

Privacy Shield Scope

This Policy applies to all personal information, whether in electronic or paper format, received by SynteractHCR in the United States from the EU member countries and from Switzerland, and outlines our general policy for the implementation of the Principles. This Privacy Shield Policy does not apply to Personal Data transferred under Standard Contractual Clauses or any approved EU or Swiss data transfer mechanism.  Further, this Privacy Shield Policy does not govern SynteractHCR’s processing of its employees’ Personal Data, which is subject to internal SynteractHCR human resource policies and procedures.  SynteractHCR’s adherence to the principles set forth in this Privacy Shield Policy may be subject to limitation to the extent necessary to meet national security, public interest, or law enforcement requirements; by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or if an EU, Member State, or Swiss law allows exceptions or derogations.

Privacy Shield Definitions

For the purposes of the Policy, the following definitions shall apply:

  1. “Agent” means any third party processing personal information on behalf of, and under the instruction of SynteractHCR.
  2. “European Union” or “(EU)” means for the purposes of this Policy all countries within the European Economic Area (EEA).
  3. “SynteractHCR” means SynteractHCR, Inc. and any of its affiliates, subsidiaries, divisions, or groups in the United States listed on SynteractHCR’s Privacy Shield certification located at
  4. “Personal data” and “personal information” means data about an identified or identifiable individual that are within the scope of the Directive, received by SynteractHCR in the United States from the European Union, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.
  5. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
  6. “Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sex life. In addition, SynteractHCR will treat as sensitive, any information received from a third party where that third party treats and identifies the information as sensitive.

Privacy Shield Principles

The privacy principles in this Policy are in accordance with the Principles set out in the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

  1. Notice

Where SynteractHCR collects personal information directly from individuals in the EU or in Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which SynteractHCR discloses that information, and the choices and means, if any, that SynteractHCR offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to SynteractHCR, or as soon as practical thereafter, and in any event before SynteractHCR uses the information for a purpose other than that for which it was originally collected.

Where SynteractHCR receives personal information from its subsidiaries, affiliates or other entities in the EU, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to who such personal information relates.

During business operations, SynteractHCR may collect and process personal information relating to:

  • Study participants, clinical research investigators and their staff as well as medical and healthcare professionals. The collection of personal information such as contact information, qualifications, debarment status and account information is to facilitate the proper conduct of research studies and to carry out other study related services. Information collected may be transferred to the Sponsor of a study, business partners, SynteractHCR affiliates and third-party service providers performing study related duties and may furthermore be transferred to regulatory authorities; 
  • Customers, vendors and consultants. SynteractHCR keeps contact information, account numbers and information relating to billing, together with other information which may be necessary for the daily operation of SynteractHCR’s services including conducting customer, product and service surveys, direct marketing of products and services, handling customer complaints and enquiries, making disclosure under the requirements of any law applicable, any other directly related matters;
  • Prospective study participants, prospective investigators, and users of SynteractHCR applications and websites who make enquiries regarding SynteractHCR services may be asked to provide personal information in order to provide the requested information, products or services. Personal information provided may be used for the processing of requested transactions, improving the quality of our services, sending communications about our products and services, enabling our business partners and service providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures.   

SynteractHCR may use the personal information it collects to comply with our legal obligations, policies and procedures and for internal administrative purposes.

Personal information collected and/or processed may be disclosed to a particular study sponsor, third party service provider that supports SynteractHCR in its role within the clinical trial process, business partner, and/or where required, regulators or law enforcement agencies. SynteractHCR may not need to furnish notice where processing is necessary to respond to a government inquiry, is required or authorized by applicable laws, court orders or government regulations, or is necessary to protect SynteractHCR's legal interests and providing notice would interfere with the above requirements.

  1. Choice

SynteractHCR ensures that it uses and discloses personal information in ways that are consistent with the individual’s expectations and choices.  SynteractHCR offers individuals the opportunity to choose (opt out) whether their personal information is (i) to be used for direct marketing; (ii) to be disclosed to a third party, or (iii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.  Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.

For sensitive information, SynteractHCR will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  In addition, SynteractHCR will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.  SynteractHCR, however, is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is:

  1. in the vital interests of the data subject or another person;
  2. necessary for the establishment of legal claims or defenses;
  3. required to provide medical care or diagnosis;
  4. carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
  5. necessary to carry out the organization’s obligations in the field of employment law; or
  6. related to data that are manifestly made public by the individual.

Finally, “sensitive information” includes personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual.

  1. Accountability for Onward Transfer

Transfers of personal information to a third party acting as a controller or a processor are covered by the provisions of this Policy regarding Notice and Choice Principles.  SynteractHCR holds contracts with the third-party processors that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify SynteractHCR if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

When transferring personal information to a third party acting as an Agent, SynteractHCR: (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the SynteractHCR’s obligations under the Principles; (iv) requires the agent to notify SynteractHCR if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under subsection (iv), SynteractHCR will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

SynteractHCR is potentially liable in cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the EU-US Privacy Shield or the Swiss-US Privacy Shield. 

  1. Information Security

SynteractHCR employs reasonable and appropriate technical, administrative and physical safeguards designed to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data it’s processing.

  1. Data Integrity and Purpose Limitation

SynteractHCR uses personal information only in ways that are consistent with the purposes for which it was collected or subsequently authorized by the individual. SynteractHCR takes reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current.

SynteractHCR will only collect and store personal information that is relevant to fulfill the purpose of its collection and will retain such information no longer than appropriate to fulfill the purpose, as is required by law or regulation, or to the extent necessary to reasonable serve the purposes of archiving for scientific research. 

  1. Access and Correction

Upon request, SynteractHCR will grant individuals confirmation whether or not SynteractHCR processes their personal information, and reasonable access to the personal information it holds about them.  In addition, SynteractHCR will take reasonable, good faith steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been processed in violation of the Principles.  SynteractHCR will respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual.

As an exception to the above, SynteractHCR may restrict an individual’s right to access when:

  • fulfilling an access request could violation the legitimate rights of persons other than the individual
  • the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question
  • providing access could reveal SynteractHCR confidential information
  • providing access would interfere with the execution or enforcement of the law or with private causes of action
  • providing access would lead to a breach of legal or professional privilege or obligation
  • providing access would prejudice an employee security investigation or the succession planning of an employee
  • providing access would prejudice the monitoring, inspection, or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization.

SynteractHCR has the burden of demonstrating that a claimed exception, restriction, or limitation to an access request is necessary and legitimate.  SynteractHCR may charge a reasonable fee to fulfill access requests.

Access requests should be sent to

  1. Recourse, Enforcement and Liability

Any complaints or concerns regarding the use or disclosure of personal information transferred from the EU to the US should in the first instance be directed to the SynteractHCR Global Data Protection Officer at the address given below. SynteractHCR will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles within 45 days of receiving a complaint, at no cost to the individual. In instances where complaints cannot be resolved internally, SynteractHCR has agreed to cooperate with JAMS pursuant to the JAMS International Arbitration Rules. For more information and to submit a complaint to JAMS, visit  Such independent dispute resolution mechanisms are available to Individuals free of charge. If any request remains unresolved, individuals may have a right to invoke binding arbitration under Privacy Shield.

SynteractHCR complies with the Privacy Shield Principles and is subject to the investigatory and enforcement powers of the Federal Trade Commission.


SynteractHCR will use a self-assessment verification approach and conduct compliance annual audits (or more frequently, if necessary) of its applicable privacy practices to verify adherence to its privacy practices described in this policy. SynteractHCR's employees receive annual training on SynteractHCR's privacy principles and practices.  Any employee that SynteractHCR determines is in violation of this policy will be subject to disciplinary action.

Limitation on Scope of Principles

Adherence by SynteractHCR to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.

Changes to this Policy

This policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy, as stated. 

Notification of Changes

As SynteractHCR evolves and as privacy laws and regulations change, it may be necessary to revise or update our Privacy Policy. When we do we will also revise the "last updated" date at the top of the Privacy Policy.

Contact Information

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us by sending a letter to:

SynteractHCR, Inc. 
5909 Sea Otter Place
Suite 100
Carlsbad, CA 92010
Attn: Privacy Officer

You may also contact us by e-mail at

Get in Touch

Global Headquarters:
5909 Sea Otter Place
Carlsbad, CA 92010

Phone: +1 760 268 8200
Fax: +1 760 929 1419


Contact SynteractHCR

Tell us how to stay in touch with you: