We understand and respect that your privacy is important to you. We use and share personal information that you provide online only in ways that we tell you about. We secure personal information that you provide online to prevent it from being used and shared for other purposes. For more details, please read our Internet Privacy Policy below or contact us.

CRF Inc. and its parent corporation CRF Box Oy and its subsidiary CRF Inc. LTD. (collectively “CRF Health”) offers online newsletters and mailings of information about our organization. This is designed to provide product-related information and services, as well as corporate and financial news and employment information.

Respect for the privacy of personal information about you is very important to CRF Health. CRF Health is committed to adhering to this Privacy Policy, as well as applicable laws, rules and regulations. This Privacy Policy applies to Personal Information (as defined below) collected by CRF Health’s online resources located under the domain name, and subdomains of, including all related pages (“Web Site”). This Privacy Policy does not apply to personal information collected from offline resources and communications. This Privacy Policy also does not apply to third-party online resources to which this Web Site may link, frame or otherwise reference.

This Privacy Policy is consistent with CRF Health’s Safe Harbor and Privacy Policy for transfers of personal information from the European Economic Area to the United States. This Policy also addresses the CRF Health approach to assurance of compliance with all other privacy and data protections regulatory requirements.

Please read this Privacy Policy carefully. Should you have any questions about this Privacy Policy or CRF Health’s data collection, use and disclosure practices, please contact us at the address that is most relevant to you.

(1) How does this Privacy Policy define “Personal Information”?

The term “Personal Information” as used throughout this Privacy Policy, applies to any information or set of information that is collected by CRF Health through its Web Site that can identify you (if provided by you), such as your name, address, phone number, e-mail address, company name and position.

(2) Why does CRF Health collect, use and disclose Personal Information?

CRF Health collects identifying information when you visit the Web Site (including, without limitation, any web pages or landing pages), and when you submit data to through a form such as those found on contact pages.

When you visit the Web Site, CRF Health collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information. For example, CRF Health uses IP addresses to monitor the regions from which you navigate CRF Health’s Site.

In addition, we receive and store certain types of information whenever you interact with us via our Web Site, including what pages you visit and activities you perform on our Site. CRF Health automatically receives and records certain “traffic data” including your IP address, third party cookie information, and the page you requested. CRF Health uses this traffic data to help diagnose problems with its server, analyze trends and administer the Web Site. We may also use any data we collect on or through the Web Site to better understand and market to our customers or website users, individually or in the aggregate.

CRF Health collects and uses Personal Information for several general purposes: to fulfill your requests for certain products and services, to personalize your experience on our Web Site, to keep you up to date on the latest product announcements, software updates, special offers or other information we think you would like to hear about, and to better understand your needs and provide you with better services. We may also use your information to send you direct marketing information or contact you for market research using automated tools to contact multiple recipients.

CRF Health will give you the opportunity to “opt out” of receiving such materials. This means we assume you have given us your consent to collect and use your information in accordance with this Privacy Policy unless you take affirmative action to indicate that you do not consent, for instance by clicking or checking the appropriate option or box at the point of collection or upon receiving an automated email or text message.

(3) Who will have access to personal information about me?

Personal information about you will be accessible to CRF Health, including its subsidiaries, divisions and groups worldwide.

CRF Health may also share such information with agents, contractors or business partners of CRF Health in connection with services that these individuals or entities perform for, or with, CRF Health. Such third parties are restricted from using this data in any way other than providing services for or on behalf of CRF Health or its affiliates.

Except as set forth above, we will not otherwise use or disclose any of your personally identifiable information, except to the extent reasonably necessary:
(i) to correct technical problems and malfunctions and to technically process your information;
(ii) to protect the security and integrity of our Web Site;
(iii) to protect our rights and property and the rights and property of others;
(iv) to take precautions against liability;
(v) to the extent required by law or to respond to judicial process; or
(vi) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety, as applicable. In addition, CRF Health reserves the right to provide any or all collected Personal Information to a third party in connection with the sale, assignment, or other transfer of the business to which the information relates if such third party agrees to treat all such information in accordance with this Privacy Policy.

(4) How does CRF Health secure personal information?

We use appropriate security measures to protect against the loss, misuse and alteration of data used by our system. It is your personal responsibility to secure your own copies of your passwords and related access codes for our online resources.

(5) How can you stop receiving e-mails or other marketing information from CRF Health?

If you wish to stop receiving emails or other marketing information from us you can unsubscribe by emailing us with your name and email address and request at

(6) How does CRF Health protect the privacy of children?

In general, CRF Health’s Web Site is not directed at children and all of the online content that we offer is designed for individuals who are 18 years of age or older.

(7) How may I access and correct personal information about me?

To gain access to personal information about you collected online, and to keep it accurate, complete and current, you may contact us at the address most relevant to you. Where permitted by law, your ability to access and correct personal information will be limited where access and correction would: (i) inhibit CRF Health’s ability to comply with a legal or ethical obligation; (ii) inhibit CRF Health’s ability to investigate, make or defend legal claims, result in disclosure of personal information about a third party; or (iii) result in breach of a contract or disclosure of trade secrets or other proprietary business information belonging to CRF Health or a third party.

(8) Cookie Policy

CRF Health uses cookies, tracking pixels and related technologies. Cookies are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website. Also, cookies may also be used to track how you use the site to target ads to you on other websites. A “session cookie” expires immediately when you end your session (i.e., close your browser). A “persistent cookie” stores information on the hard drive so when you end your session and return to the same website at a later date, the cookie information is still available. A web beacon is a small string of code that represents a clear graphic image, a redirect URL or JavaScript and is used in conjunction with a cookie.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this Web Site. Therefore it is recommended that you do not disable cookies although the final decision is yours.

The Cookies We Set

When you visit our Web Site, we may use both session and persistent cookies. This cookie may contain information (such as a unique user ID) that is used to track your usage of our Web Site, and may be used to send you ads or offers when you browse our Web Site or other websites. CRF Health employs cookies to enable our systems to recognize your browser and tell us how and when pages in our Web Site are visited and by how many people, and also in order for our server to recognize a return visitor as a unique user.

CRF Health uses Web beacons alone or in conjunction with cookies to compile information about your usage of CRF Health’s Web Site and interaction with emails from CRF Health. For example, CRF Health may place Web beacons in marketing emails that notify CRF Health when you click on a link in the email that directs you to CRF Health’s Web Site. CRF Health uses Web beacons to operate and improve CRF Health’s Web Site and email communications and to send more customized or relevant emails, advertisements and offers to users.

Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site. Third party analytics are used to track and measure usage of this site so that we can continue to produce engaging content. These cookies may track things such as how long you spend on the site or pages you visit which help us to understand how we can improve the site for you.

This Web Site uses an automation system provided by Marketo, Inc., which uses cookies to recognize you as a unique user when you return to the site, and to track various data related to your website usage in order to provide custom content or services related to your specific interests. The cookies placed by the Marketo server are readable only by Marketo. For more information on Marketo cookies and what they are used for, click here

CRF Health uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on your computer, to analyze your use of the website. The information generated by the cookie about your use of this website (including your shortened IP address) is transmitted to a Google server in the U.S. and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and to provide other services related with the website and internet use. Google may also transfer this information to third parties if required by law, or where third parties process these data on behalf of Google. For more information about Google Analytics, or to opt out of Google Analytics, please go to:

Opting Out of Targeted Advertising

You may opt out of targeted advertising by visiting the DAA opt-out site ( or the NAI opt-out site (, or for those in Europe, the EDAA opt out site (

(9) What is CRF Health’s contact address for privacy questions?

Should you have questions about this Privacy Policy or CRF Health’s information collection, use and disclosure practices, you may contact us at the address most relevant to you. When you contact us, please note the name of the Web Site or other online resource to which you provided the information, as well as the nature of the information that you provided. We will use reasonable efforts to respond promptly to requests, questions or concerns you may have regarding our use of personal information about you. Except where required by law, CRF Health cannot ensure a response to questions or comments regarding topics unrelated to this Privacy Policy or CRF Health ‘s privacy practices.

(10) How will I know when CRF Health has updated this Privacy Policy?

CRF Health may update this Privacy Policy periodically. CRF Health reserves the right to modify, add or remove portions of this privacy statement at its discretion. If we decide to change this Privacy Policy, we will post those changes at this Web Site.


In accordance with Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, the Annex titled “Standard Contractual Clauses” is hereby incorporated by reference in its entirety. With respect to such Annex the “Data Exporter” shall be defined as you and the “Data Importer” shall be defined as CRF Health. You may find a complete version of the text on our regulatory page.


CRF Health makes no representations about the content of the information found on this Web Site. The information presented on this Web Site is provided to you “AS IS,” WITHOUT ANY WARRANTY, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE.

Under no circumstances shall CRF Health assume liability for the use or interpretation by you of information found on this Web Site; rather, this will be your responsibility.

CRF Health expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to this Web site and/or the information contained on this Web Site, even if CRF Health is proven negligent.


The purpose of this Policy is to outline the responsibilities and procedures that are in place to ensure that the privacy and confidentiality of all personal (identifiable) data provided to, or collected and processed by CRF Health.

CRF Health operates globally and as such, emphasis is placed on describing how CRF Health institutes the US Department of Commerce Safe Harbor Act with regard to sharing of personal information from the EU, EEA, and Switzerland. These Safe Harbor Principles provide equivalency to the principles set out in the EU Data Protection Directive (Directive 95/42/EEC) to satisfy the “adequacy for sharing” requirements dictated by Directive 95/46/EEC. When applied by organisations based wholly or partly in the United States, the Safe Harbor Principles provide a framework for this cross-border sharing and compliance with both EEA and US privacy and data protection legislation. This document describes how these principles are implemented at CRF Health. This policy will be posted on our company website,

The policy applies to personal (identifiable) data held by CRF Health for

(1) All individuals who provide personal and sensitive information including (but not limited to); customers, investigator site staff, clinical trial subjects, suppliers, job applicants and employees (past and present).
(2) All CRF Health locations.
(3) Personal (Identifiable) Data, in all media, from the point of receipt by CRF Health through processing and to final disposition e.g., destruction or transfer of ownership of that data.

The CRF Health QMS and systems are developed and maintained in a manner that will ensure that CRF Health conducts its business in compliance with applicable data protection and confidentiality regulations and laws. These regulations, laws and guidelines are specifically listed in QMS 0-0-1 (Regulatory Compliance).

1. Safe Harbor and Privacy Policy

CRF Health respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. Not only does CRF Health strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.

1.1. Safe Harbor and Privacy Policy

The United States Department of Commerce, the European Commission, and Switzerland have agreed on a set of data protection principles and frequently asked questions (the “US-EU Safe Harbor Framework & the U.S.–Swiss Safe Harbor Framework”) to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection be given to personal information transferred from the EU and Switzerland to the United States.

The EEA also has recognized the U.S. Safe Harbor as providing adequate data protection (OJ L 45, 15.2.2001, and p.47).

Consistent with its commitment to protect personal privacy, CRF Health has certified that it adheres to the Safe Harbor Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view CRF Health’s certification, please visit

Recognizing variations in applicable local regulation, CRF Health is also registered as a Data Controller with the United Kingdom Information Commissioner’s Office (ICO). To see the CRF Health entry on the ICO Register, go to:

1.2. Scope

This Safe Harbor Privacy Policy (the “Policy”) applies to all personal information received by CRF Health in the United States from the European Economic Area and Switzerland, in any format including electronic, paper or verbal.

1.3. Definitions

For purposes of this Policy, the following definitions shall apply (EU versus US commonly used terms included for reference):

Term and DefinitionEU common term(s)US common term(s)

Any third party that collects or uses personal information under the instructions of, and solely for, CRF Health or to which CRF Health discloses personal information for use on CRF Health’s behalf.

Data Processor


Means CRF Inc., its successors, subsidiaries, divisions and groups.



Data that alone (or combined with other information) could reasonably lead to identification of a living individual. This does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

Personal Data, Identifiable Data

Individually Identifiable Health Information (IIHI), Personal Information

Party determining the means and purpose of processing the personal data (may be a person, agency, public authority or other institution). CRF Health acts as the data controller for personal and sensitive information that is not captured as part of supporting a clinical trial under the direction of a customer.

Data Controller


Party handling / processing personal data on behalf of another (the DATA CONTROLLER), under the DATA CONTROLLER’S instruction. CRF Health acts as the data processor for any personal and sensitive information captured as part of trial conduct, under the direction of the customer (Sponsor) in their capacity as DATA CONTROLLER.

Data Processor

Business Associate, Agent

Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life. In addition, CRF Health will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

Sensitive Personal Data

Sensitive Personal Information

1.4. Privacy Principles

The privacy principles in this Policy are based on the Safe Harbor Principles. The following sections, aligned with the Safe Harbor Principles, provide indication of how compliance is ensured at CRF Health. See the Safe Harbor website for the full language of these principles at

1.4.1. Notice

Where CRF Health collects personal and/or sensitive information directly from individuals in the EEA, it will inform them about the purposes for which it collects and uses this information about them, the types of non-agent third parties to which CRF Health discloses that information, and the choices and means, if any, CRF Health offers individuals for limiting the use and disclosure of their personal and/or sensitive information.

Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to CRF Health, or as soon as practicable thereafter, and in any event before CRF Health uses or discloses the information for a purpose other than that for which it was originally collected.

Where CRF Health receives personal information from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

1.4.2. Choice

CRF Health will offer individuals the opportunity to choose (opt-out) whether their personal information is
(a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, CRF Health will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. CRF Health will provide individuals with reasonable mechanisms to exercise their choices.

1.4.3. Data Integrity

CRF Health will use personal and/or sensitive information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. CRF Health will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.

1.4.4. Transfers to Agents / 3rd Parties

CRF Health will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Examples of appropriate assurances that may be provided by agents include: a contract obligating the agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), or Swiss Safe Harbor certification by the agent, or being subject to another European Commission adequacy finding. Where CRF Health has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, CRF Health will take reasonable steps to prevent or stop the use or disclosure. Disclosure will not occur unless CRF Health is satisfied that this is authorized by the individual to whom the data pertains.

1.4.5. Access and Correction

Upon request, CRF Health will grant individuals reasonable access to personal and/or sensitive information that it holds about them. In addition, CRF Health will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

1.4.6. Security

CRF Health will take reasonable precautions to protect personal and/or sensitive information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

This will be achieved via appropriate physical and logical security mechanisms as set out in the Security Policy (QMS 0-1) and related security QMS documents.

Computer systems, equipment, networks, programs, data, and documentation are secured to the extent reasonably possible using existing technology, if not regulated, in the drug and device research industry.

Where electronic information is to be transferred on physical media, the media will be kept away from any means of reading that information and appropriate password protected or encrypted to minimize the risk of unauthorized access to that information.

Further details of security mechanisms for transfer of information electronically and transport by employees of personal and sensitive information is addressed in the applicable security QMS documents.

1.4.7. Enforcement

CRF Health will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy as well as continued suitability of this policy and related procedures for assurance of compliance with applicable privacy and data protection legislation. Should gaps or areas for improvement be identified, these will be addressed in accordance with the relevant procedures.

Where there is determined to be wilful violation of this policy by an employee, that employee shall be subject to disciplinary action up to and including termination of employment. Any unsolicited reports or other serendipitous evidence of potential failures of compliance with this policy will be appropriately investigated with actions as commensurate with the result of that investigation implemented.

1.4.8. Dispute Resolution

Any questions or concerns regarding the use or disclosure of personal information should be directed to the CRF Health VP Quality Management & Regulatory Affairs at the address given below. CRF Health will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between CRF Health and the complainant, CRF Health has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles.

2. Limitation on Application of Privacy Principles

Adherence by CRF Health to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

3. Types of Information Collected

CRF Health collects identifiable and personal sensitive information through clinical trial and general business activities. CRF Health protects the integrity, confidentiality and privacy of that data from the point of initial capture (solicited or unsolicited), ensuring that the data captured is used only for the purpose that it was captured or appropriate action taken where unsolicited confidential data is received to prevent / minimize the risk of recurrence.

3.1. Clinical Data

Clinical data is collected in anonymized form (unique trial subject identifier) in accordance with industry standards. Where unsolicited trial subject identifying information is received, appropriate action will be immediately taken to ensure that the information is not stored or disseminated further. See Section 6 for how receipt of unsolicited data is managed.

3.2. Other Data

This includes all other identifiable and personal sensitive information other than clinical data. This includes (but may not be limited to) investigator site staff, visitors to the CRF Health website (see QMS 0-0-2, Internet Policy), job applicants and employees, customers and suppliers.

4. Modes of Information Capture/Storage

CRF Health captures information via many routes. The term capture shall be taken to encompass both solicited and unsolicited receipt of information.

4.1. Web based (Internet and TrialManager Web Portal)

CRF Health sees the Internet and the use of other technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners, and others.

CRF Health recognizes the importance of maintaining the privacy of information collected online and has created a specific Internet Privacy Policy (QMS 0-0-2) governing the treatment of personal information collected through web sites that it operates. With respect to personal information that is transferred from the European Economic Area to the U.S., the Internet Privacy Policy is subordinate to this Policy. However, the Internet Privacy Policy also reflects additional legal requirements and evolving standards with respect to Internet privacy. CRF Health’s Internet Privacy Policy can be found at

The CRF Health website allows interested parties to request information and demonstrations of company services. As part of this request for information or services via the website, the user must supply personal identifiable information. The CRF Health TrialManager Web Portal allows users to view content pertinent to the clinical trial through a secured website, should one be employed for a trial. The Security Policy (QMS 0-1), related QMS procedures further complement this policy and the Internet Privacy Policy (QMS 0-0-2) to cover the measures employed to assure the privacy and confidentiality of information captured and made available via web based means.

4.2. Email

All employees are individually responsible for all electronic mail sent from their account and for the appropriate handling of personal identifiable and sensitive information received into their account. Care will always be taken to evaluate whether e-mail is the most appropriate method for dissemination of sensitive information. Further detail is provided in the relevant security procedures and company handbook in relation to use of email.

4.3. Telephone

Where communication of information is by telephone, care will always be taken to evaluate whether this is the most appropriate method for discussion and / or dissemination of personal identifiable and / or sensitive information.

4.4. Paper based Information

Paper based information is more vulnerable than information stored and protected electronically. Paper based information that is current and required for ongoing study and/or general business activities are maintained, wherever possible, in locked cupboards or otherwise restricted areas. When information ceases to be required, it is destroyed confidentially, by shredding. Wherever appropriate and possible, printers that are not general access printers will be used to print such information. QMS 7-2-1 (Asset Control) further supports appropriate maintenance and security measures in respect of confidential and sensitive documents via its information asset classification system.

5. Receipt of unsolicited Personal Identifying and/or Sensitive Information

The possibility of receipt of unsolicited personal identifiable and/or information is acknowledged by CRF Health. By definition, being in receipt of and storing or further dissemination or processing by other means of such data is not consistent with the Safe Harbor Principles of CHOICE and INTEGRITY, since this information should not be in CRF Health possession and the individual (data subject) may not be aware of the dissemination of that information to CRF Health. It is CRF Health policy, on receipt of such data to take all necessary actions to halt further processing or dissemination of that data and to prevent the risk of recurrence of same.

The individual receiving such data will, on receipt (and without further sharing the data, including to Quality Management) notify the VP, Quality Assurance and raise an NCR (taking care not to capture any of the data in the NCR) that personal identifying data has been received, providing relevant information regarding the supplier of the data, circumstances of receipt and project (if applicable). At the same time, the data in question will be destroyed and the supplier notified that they have made an errant transfer of personal data (this may be achieved via the Sponsor or CRA for Investigator Sites). If the transmission contained other, non-identifiable data that is required by CRF Health, the supplier should be requested to re-supply without the personal identifiers. CRF Health Quality Assurance will monitor NCRs for any trends in unsolicited data to permit escalations as appropriate for repeated occurrences.

6. Access to Personal and Sensitive Information

Access to information and systems is restricted to appropriate staff. For data held on the CRF Health network, this is managed via the Security Policy (QMS 0-1) and related IT and Security QMS documents.

In accordance with national and International laws, data subjects (individuals or groups to whom the personal information pertains) have the right of access to any of the information CRF Health holds on them at any time to ensure that it is accurate and up-to-date, to have the ability to request it’s correction/modification or to request deletion of all or part of that information if it is inaccurate.

This is notwithstanding any legal compulsion restricting adherence to the privacy principles set out in Section 2 (see Section 3 – Limitation on Application of Privacy Principles).

7. Retention and Archiving of Information

CRF Health does not keep personal and sensitive information any longer than necessary to meet the business purpose for which it was collected, unless legal or regulatory reasons require that the information not be deleted.

Where it is required that information is not deleted, CRF Health will retain that information for the minimum period required by law or regulation. QMS 6-1 (Documentation) provides a records retention schedule.

In the case of clinical data, on transfer of ownership of information back to a Sponsor or Investigator, it shall be deemed that the new owner becomes responsible for assuring the confidentiality and security of the information.

8. Training and Awareness

Training in Privacy and Data Protection is mandatory for employees of CRF Health. In addition, all employees, regardless of contract type (permanent, temporary, etc) are provided with access to this Policy and must acknowledge this policy within the Quality Management System Tool.

9. EEA Country / EU Member State and non-EEA / non-US Privacy Regulation

The EU Data Protection Directive (Directive 95/46/EEC) requires transposition into Member State Regulation. As part of this transposition, a Member State my incorporate stricter requirements based upon the Directive e.g., the requirement in the United Kingdom for Data Controllers to register with the UK Information Commissioner’s Office (ICO) as Data Controllers. CRF Health implements this policy based upon the core requirements set out via Safe Harbor and the Data Protection Directive, recognizing additional elements / requirements may be set out in individual Member States.

CRF Health does not transfer personal information or sensitive information outside of the EEA or United States and as such, there is not a current need to determine the adequacy of data protection in those countries / territories. CRF Health may receive personal information or sensitive information from outside of the EEA or US. Typically, this would be from customer or suppliers and this policy would be applied in respect of personal and / or sensitive information, unless stricter local requirements, as identified with the information supplier or via contract superseded. See Section 11 in relation to trial subject data.

10. Clinical Trial Subject Data Obligations

Where trial subject data is processed by CRF Health (this would be anonymized as standard but may contain e.g., a date of birth), this will be processed in line with this policy, although the responsibility for ensuring that the trial subject is duly consented to processing of their data in accordance with applicable regulation lies with Investigator site in obtaining that informed consent using the Ethics / IRB approved consent documents.

11. Contact Information

Questions or comments regarding this Policy should be submitted to the CRF Health VP of Quality Assurance by mail as follows:

CRF Health
VP Quality Assurance
Suite 400
4000 Chemical Road
Plymouth Meeting, PA 19462

12. Changes to this Safe Harbor and Privacy Policy

This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. A notice will be posted on the CRF Health web page ( for 60 days whenever this Safe Harbor Privacy Policy is changed in a material way.

Schedule a Consultation
& Platform Demo