DP Clinical, Inc. (hereinafter “DP Clinical”) is a privately owned Contract Research Organization (CRO), located in Rockville, MD and incorporated in the State of Maryland. DP Clinical primarily manages clinical trials in North America for pharmaceutical, biotechnology, and academia, hence has not certified itself with the Data Privacy Framework (DPF).

DP Clinical may partner with a CRO located in EU if required to conduct clinical trials by our clients.  The EU CRO will be responsible for ensuring compliance with all the applicable General Data Protection Regulation (GDPR) regulations and guidelines and DP Clinical will ensure compliance by qualifying/auditing the entity prior to engaging in partnership to conduct a clinical trial.  The EU CRO will be responsible for ensuring that no personal data is transferred to DP Clinical.

DP Clinical is committed to protecting the privacy and confidentiality of participants in a clinical trial whose personal and health information DP Clinical collects and processes on behalf of our clients. All identified DP Clinical GxP employees are required to train on GDPR and HIPAA regulations on a biennial basis. This Privacy Policy explains how DP Clinical collects, uses, stores, protects, and discloses the sensitive personal data of participants in accordance with applicable data protection laws in the US and Canada.  DP Clinical processes data exclusively within North America and do not transfer data outside of North America without explicit authorization from an international client in support of global regulatory health submissions or requests.

Purpose

This Data Privacy Policy provides for how DP Clinical collects, uses, stores, shares and protects personal data in compliance with applicable data privacy laws, including but not limited to the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and other regional/State regulations governing GXP-compliant environments.

 Scope of This Policy

This Privacy Policy applies to all personal information that DP Clinical processes in the course of providing clinical research services in the context of conducting GxP-regulated activities, including clinical trial management, data monitoring, safety monitoring, regulatory affairs, auditing, data management, medical writing, and biostatistical support. DP Clinical acts primarily as a data processor or service provider on behalf of our clients (e.g., study sponsors or investigators), who are responsible for determining the purpose and how the data will be collected and processed. Included are:

  • Personal data of clinical trial participants
  • Healthcare professionals and investigators
  • Clients, vendors and employees
  • Data from pharmacovigilance or medical monitoring activies

Types of Information DP Clinical Processes

DP Clinical may process the following categories of information:

  • Clinical trial data (e.g., subject IDs, medical history, concomitant medications, adverse event data)
  • Investigator and site staff information (e.g., name, professional credentials, contact information) as required per the applicable laws and regulations
  • Operational data (e.g., monitoring reports, site performance data, eCRF)

DP Clinical does not collect data directly from the subjects or have any contact with them. All personal data DP Clinical reviews is pseudonymized (either coded or redacted by investigative site in accordance with sponsor requirements and applicable laws.

 Purpose of Processing

DP Clinical processes personal data for specified, explicit, and legitimate purposes related to our services such as:

  • To conduct and monitor clinical trials
  • To comply with regulatory requirements
  • To support data management and statistical analysis
  • To ensure quality assurance and regulatory compliance
  • To fulfill our contractual obligations to sponsors

Categories of Data Collected Include

  • Participant Data: Pseudonymized data, gender, age, health data, trial-related information
  • Investigator &HCP Data: Name, contact details, professional credentials, trial site data
  • Employee Data: HR, payroll, and training records
  • Vendor/Client Data: Names, business contact information and, contract data

Data Storage and Regional Processing

All personal data is stored and processed exclusively in North America (United States and/or Canada). DP Clinical does not transfer or process personal data outside this region without explicit authorization from an international client in support of global regulatory health submissions or Health Authority requests only where data has:

  • Adequate safeguards (e.g. Standard Contractual Clauses)
  • Regulatory Approvals and sponsor agreements permit
  • Data is pseudonymized or de-identified wherever possible

 Legal Basis for Processing

DP Clinical processes personal data under the direction and authority of our clients (data controllers), based on:

  • Informed consent obtained by the investigator
  • Contractual obligations with our clients
  • Legal and regulatory requirements under applicable health or clinical research laws (e.g., HIPAA, FDA regulations, GCPs, PIPEDA)

 Data Sharing and Disclosure

DP Clinical does not sell or share personal data for commercial purposes. DP Clinical may disclose personal data:

  • To authorized personnel within our organization who require access to perform services
  • To regulatory authorities as required by law (e.g., FDA, Health Canada)
  • To third-party service providers (e.g., data storage or IT services) under contractual agreements with adequate data protection safeguards

 Data Security

DP Clinical implements administrative, technical, and physical safeguards to protect personal data, including:

  • Secure access controls and authentication
  • Encryption of data
  • Regular risk assessments and audits
  • Staff training on data privacy and security

 Data Retention

DP Clinical retains personal data only as long as necessary to fulfill the purposes described in this policy and complies with regulatory or contractual obligations. Retention periods are defined in accordance with client instructions and applicable laws.

Individual Rights

In accordance with the General Data Protection Regulation (GDPR), data subjects have certain rights related to their personal data, including the rights of access, rectification, erasure, and objection. However, as a data processor, DP Clinical is not responsible for fulfilling these rights directly.

The trial sponsor or the principal investigator acts as the data controller and is responsible for evaluating and responding to data subject requests. If DP Clinical receives a request from a data subject—such as a clinical trial participant—or from a study site regarding the personal data of a participant, DP Clinical will promptly inform them that such requests must be directed to the data controller. DP Clinical will cooperate with the data controller as required to support compliance with applicable GDPR obligations.

Breach Notification

In the event of a data breach, DP Clinical will work with relevant client/vendor to notify affected parties and regulatory authorities in accordance with applicable laws (e.g., 72 hours for GDPR breaches) and maintain documentation of the incident and remedial actions. All identified data breaches occuring within DP Clinical in the course of providing routine services shall be reported to the Privacy Officer within 24 hours of identification by the identfying party.

 Contact Information

If you have questions about this policy or our data protection practices, please contact:

Privacy Officer
Tim Urschel
Senior Vice President of Regulatory Affairs and Quality Assurance
9201 Corporate Blvd., Suite 250
Rockville, MD 20850
Email:  DPInfo@dpclinical.com

Policy Updates

DP Clinical may update this Privacy Policy periodically. Changes will be posted on our website with an updated effective date.