IC@dom, Critical player in clinical research and innovation in healthcare, is strongly committed to the protection of personal data, particularly health data, that it collects during its activities.
The purpose of this policy is to provide transparent information about the way in which IC@dom processes the data it collects, or which is entrusted to it, and about the purposes and methods of personal data processing, in compliance with the applicable French and European regulations:
- The General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016, hereinafter “GDPR”), applicable since 25 May 2018;
- The French Data Protection Act no. 78-17 of 6 January 1978.
Personal data: any information relating to a directly or indirectly identified or identifiable natural person. Personal data can be your name, your age, your address, your social security number or any information relating to your personal or professional life, your state of health, etc.
Sensitive data: Data within a particular category considered to be sensitive or regarding the nature of the information contained within the data, the dissemination of which may have negative consequences on the person concerned. Sensitive data include data revealing alleged racial origin, political opinions, religious beliefs, trade union membership or information relating to health or genetic data, etc.
Processing of personal data: any operation or set of operations, whether or not by automated means, which is applied to personal data or sets of personal data. For example, collection, recording, use, dissemination, storage, etc.
Purpose: the objective pursued by the data processing, the reason why the data is collected and used. For example, the purpose of the clinical research for which your data is collected.
For what purposes does IC@dom process personal data?
IC@dom processes data on its own behalf, as an employer and as a legal entity, to ensure the administration of its staff, manage its accounts, for commercial prospecting, customer follow-up and to comply with the legal obligations to which it is subjected. IC@dom therefore acts as a data controller as defined in article 4 of the GDPR.
IC@dom also processes data on behalf of its customers in the more specific context of its activity as a contract research organisation (CRO). The data collected is then processed to meet the objectives defined within the framework of the clinical studies carried out.
In this capacity, IC@dom acts as a subcontractor for the research sponsor in accordance with article 28 of the GDPR, which sets out the conditions for subcontracting data processing.
How is IC@dom authorised to process data?
IC@dom only collects and processes personal data that is strictly necessary for the purpose for which it is processed.
Data may be collected on various legal grounds as outlined in Article 6 of the GDPR:
- For the performance of a contract to which the data subject is party: for example, for the processing of data relating to IC@dom employees or for the processing of data relating to employees of client companies;
- For compliance with legal obligations: for example, as an employer, IC@dom is obliged to comply with certain reporting obligations such as declarations prior to recruitment (DPAE) or the nominative social declaration (DSN);
- For the purposes of the legitimate interests pursued by IC@dom or its client responsible for processing. For example, for the collection of navigation data from website visitors when this information is strictly necessary from a technical point of view to enable access to the site. In the case of research involving health data, such processing based on legitimate interest is only possible if it is justified by a public interest for scientific research purposes; All research projects carried out by IC@dom without consent are subject to specific information that you can find on the transparency portal.
- When the persons concerned by the research have given their explicit consent for their data to be processed for research purposes.
How is personal data collected?
Collection of employee data:
When processing the personal data of its employees or customers, IC@dom mainly collects the data directly, i.e., the data are entrusted directly by the person concerned without going through an intermediary. For example, when employees are recruited, they will be asked to provide information that is required to draw up an employment contract, manage staff and administer pay.
Collection of data from job applicants:
Data included in an application, in particular the CV and covering letter, are collected directly from the applicants, particularly via the “Contact us” section of the website.
Collection of data from client employees:
IC@dom collects data pertaining to certain employees of its clients to perform the services agreed with its clients. The persons concerned are the contacts required to carry out the service (project manager, research manager, legal representative, accounting or legal department employee, etc.). In this situation, the data is usually communicated by the employer when it is not collected directly from the person.
Collection of patient data:
Patient data that are useful for research may be collected directly from the patient as part of a research protocol. For example, some protocols require patients to complete questionnaires that are then collected by IC@dom. Data may also be collected from the patient via the investigating centres, such as the collection of medical device data during routine care.
IC@dom can also access so-called retrospective data. In this case, the data is collected beforehand and then communicated to IC@dom. For example, with the patient’s consent, IC@dom can access data collected during routine care.
Collection of data from visitors to the website:
Some information may be collected automatically or by cookies when this is technically necessary to enable browsing. All other cookies require prior consent. The information collected via the contact form is used to answer your questions, to contact you, to present our services, to define your needs, and to facilitate our potential future contractual relationship.
What data are processed by IC@dom?
In accordance with the principles outlined in Article 5 of the GDPR, IC@dom only processes data that are strictly necessary for the purposes determined. Therefore, IC@dom does not process the same type of data for employees, clients or prospect contacts or patients included in clinical research.
Below is a list intended to be representative of the different types of data processed by IC@dom. Due to the multiplicity of existing personal data, the list presented below cannot be exhaustive. The fact that these data-types are listed does not indicate that they are systematically collected and processed, but simply that they are likely to be collected when justified.
For its employees, IC@dom is likely to collect:
- Identity data: surname, first name, age, place of birth, nationality, telephone number, postal address, personal e-mail address, etc.
- Personal data (lifestyle, family situation, etc.): number of children and age, marital status, recognition of disability status if applicable, etc.;
- Professional data: previous positions, professional experience, qualifications, occupational category,
- Economic and financial information (income, financial situation, tax situation, etc.): bank details, salary, bonuses, benefits in kind, etc;
- Social Security number (or NIR);
- Connection data (IP address, logs, etc.): Connection data (login and password) for accessing business applications and software.
For job applicants, IC@dom is likely to collect:
- Identity data: surname, first name, age, place of birth, nationality, telephone number, postal address, personal e-mail address, etc.
- Personal data (lifestyle, family situation, etc.): recognition of disability status if applicable;
- Professional data: previous positions, professional experience, qualifications, etc;
For a client or prospect contact, IC@dom is likely to collect:
- Identity data: Surname, first name, etc.;
- Professional details: job title, business address, business telephone number, qualifications, etc.
With regard to patients included in clinical studies, IC@dom is likely to collect:
- Identity data: surname, first name, age, place of birth, etc;
- Personal life data: Consumption of tobacco, alcohol, other substances, lifestyle habits and behaviours, lifestyle, quality of life scale or other information on the impact of pathologies on patients’ lives, exposure to known health risks, etc. ;
- Professional data: socio-professional category, level of education, etc;
- Economic and financial information: social security affiliation scheme, supplementary insurance (private or other type of insurance), etc;
- Sensitive data (health data): Weight, height, body composition (impedancemetry), reports (medical, paramedical, multidisciplinary meeting, etc.), data relating to adverse effects and events, prescriptions for drugs and medical devices, medical and paramedical observations, data from medical devices and measuring equipment (serial number, technical operating data, compliance and effectiveness measurement data, equipment maintenance data), personal or family history, associated illnesses or events, etc.
For visitors to the website:
Some information is collected automatically when browsing the website.
These include connection data: IP address, visit time, type of browser, site categories visited, etc.
The collection of all other types of data using cookies is subject to the visitor’s consent through a cookie banner. For more information, please consult our cookie management policy.
How long does IC@dom keep this data?
Employee data is kept for 5 years after the end of the employment contract in accordance with the statutory limitation period under common law (Article 2224 of the French Civil Code), except for payslips, which are kept digitally for a period of 50 years in accordance with Article D. 3243-8 of the French Labour Code.
For applications received:
Data relating to applicants is kept for two years after collection, in accordance with the French Data Protection Authority (CNIL) recommendations. This enables the HR department to contact you again if a position matches your profile.
For customer and prospect contact data:
Prospect data is kept for 3 years from the last commercial exchange initiated by the prospect contact;
Customer contact data is kept for 5 years following the end of the contractual relationship, in accordance with the statutory limitation period under common law (Article 2224 of the French Civil Code);
Data required for invoicing purposes may be kept for 10 years in accordance with the obligations set out in article L123-22 of the French Commercial Code.
For data from patients included in research:
Patient data is kept for as long as is necessary for the research. In accordance with the guidelines of the French Data Protection Authority (CNIL) relating to data preservation periods for research in the health field, the data required for research is preserved for a maximum of two years in the active database, from the last publication, and then for 15 years in the intermediate database before destruction.
For your browsing data on the website:
IC@dom keeps your browsing data on our website for a maximum duration of 6 months (duration recommended by the CNIL).
For the data you provide to contact us:
The personal data you provide when you wish to contact us using the contact form are kept for a maximum of 3 years (duration recommended by the CNIL).
Who can access your data?
Your personal data is only passed on to the internal departments of the AGIR à dom Group, of which IC@dom is a part.
As data controller, IC@dom subcontracts support and administrative services such as HR, accounting, legal and IT activities to the AGIR à dom Holding.
Only members of IC@dom’s research teams have access to the data of patients included in research projects. As such, they are bound by confidentiality.
In certain cases, the data may be shared with the teams from the investigating centres and the sponsor, in compliance with the requirements outlined in the rules of good clinical practice.
Except for patient data for research purposes, IC@dom may occasionally communicate data to certain third parties when this is necessary for the purpose of the processing (auditors, law firms, etc.).
Finally, IC@dom may allow access to data to recipients, known as “authorised third parties”, who are legally entitled to access the information (tax authorities, judicial authorities, etc.).
How is the security and confidentiality of personal data ensured?
IC@dom treats the data entrusted to it with great respect and is particularly vigilant and attentive to current and future legislation.
The entry into force of the GDPR (European General Regulation for the Protection of Personal Data) on 25 May 2018 was an opportunity to carry out a complete review of data processing to strengthen the security and confidentiality of your data, a subject that we take very seriously.
IC@dom is therefore commited to the following:
- Not to use this data for any purpose other than that required for processing;
- Not to disclose your data to third parties;
- To subject its employees and representatives to confidentiality obligations;
- To destroy all media storing your data, whether computerised or not, at the end of the specified retention period;
- The security and confidentiality of personal data also depend on the good practice of each individual.
We therefore suggest you do not communicate your login and password to third parties, to systematically log out of your account, to close your browser window at the end of your session, particularly if you are accessing the Internet from a public computer, and not to save your login and password in your browser.
What are your rights?
In accordance with the regulations in force, you can exercise the following rights concerning your personal data:
Right of access:
To obtain confirmation that your personal data is being processed and to access this data, as well as a certain amount of additional information and to obtain a copy of the data being processed.
Right of rectification:
To request that your data be rectified or completed as soon as possible.
Right to erasure:
To request the erasure of personal data concerning you as soon as possible, if your data is no longer necessary for the purposes for which it was collected, or if you decide to withdraw your consent on which the processing is based.
Right to limit processing:
To obtain the restriction of your data. In this case, we will only be able to store your data and no other operations may be carried out on your personal data.
Right to portability of your data:
To recover the data you have provided to us and to pass it on to another data controller, particularly if you change service providers.
Right to object:
To object at any time, for reasons relating to your situation, to the processing of your personal data. You also have the right to object to your data being processed for direct marketing purposes.
Right to withdraw your consent:
To withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on your consent carried out prior to the withdrawal.
Right to define directives concerning the fate of your personal data post-mortem:
to define directives concerning the conservation, deletion and communication of your personal data after your death. In the absence of a directive from you, your heirs will nevertheless be able to exercise their rights over your personal data after your death.
How can I exercise my rights?
To exercise your rights, you can send us your request in writing:
By e-mail: email@example.com
Or by post: Délégué à la Protection des Données personnelles – IC@dom – 36 Chemin du Vieux Chêne – 38240 MEYLAN – France
Please specify the right(s) you wish to exercise and the reason(s) for your request.
We will get back to you within a maximum of one month (this may be longer for complex or large requests).