Dassault Systemes

EU-U.S. Data Privacy Framework Privacy Policy

Medidata’s Notice of Certification Under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

Scope: Medidata Solutions, Inc. (“Medidata”) complies with the EU-U.S. Data Privacy Framework program (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Medidata has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Medidata has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Data processed and purposes of data processing: Medidata provides an online platform and applications for our customers to operate aspects of their businesses, including the collection, processing and storage of clinical and operational data for the planning, conduct and optimization of clinical trials. Medidata’s customers decide what data to submit to our platform or applications, which may include information about their authorized users, employees, and clinical trial patients. Medidata processes this data as instructed by our customers and does not control or own its customer’s personal data. Our customer instructions may include processing or using personal data for purposes of providing or developing the Medidata platform, applications, and services, preventing or addressing service or technical problems, responding to support issues, responding to our customer’s instructions, or as may be required by law.

For personal data not processed on behalf of our customers in which Medidata is a data controller, please refer to Medidata’s Privacy Policy (Dassault Systèmes main privacy policy).

 

Third-party access to personal data and liability: Medidata only discloses personal data as instructed by our customers. In some cases, we may use third-party providers to assist us in providing or developing our platform or applications to our customers, such as to offer support to our customers and their authorized users and employees and to provide technical or operational support such as data hosting, transmission, and storage. These providers may access, process, or store personal data in the course of providing their services to Medidata. Medidata maintains contracts with these providers restricting their access, use and disclosure of personal data in compliance with our DPF obligations. Medidata may be liable if these third parties fail to meet those obligations and we are responsible for the event giving rise to the damage.  For additional information, see Medidata’s Privacy Policy (Dassault Systèmes main privacy policy).

Right to access: As Medidata is a data processor, individuals who seek to access, correct, amend or delete personal data, should contact the Medidata customer (the data controller) who submitted your personal data to our platform or applications. In some instances, you may be able to perform these operations yourself through our applications. If the Medidata customer requests Medidata to remove the personal data to comply with data protection regulations, Medidata will respond to our customer’s request within 30 days.  In addition, you can find more information on the rights and choices we offer regarding limiting the use and disclosure of your personal data in Medidata’s Privacy Policy (Dassault Systèmes Privacy Policy) under the section of the labeled “What Are Your Rights”.

Inquiries or complaints: In compliance with the DPF Principles, Medidata Solutions, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact mdsol.NAM.dataprivacy@3ds.com.

You may also refer any inquiries or complaints by mail to Medidata at: Medidata Solutions, Inc.

Attn: Chief Privacy Counsel 350 Hudson Street, Floor 9

New York, NY 10014 United States

or to our UK-based subsidiary at:

Medidata Solutions International Limited Attn: Chief Privacy Counsel

Metro Bldg., 1 Butterwick, 7th Floor Hammersmith, United Kingdom, W6 8DL

Medidata has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit

https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers

for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration- Procedures-dpf?tabset-35584=2.

Compelled disclosure: Medidata may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Medidata will notify our customer of any such requests unless prohibited by law.

U.S. Federal Trade Commission investigation and enforcement: Medidata’s commitments under the DPF Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

For additional information, see Medidata’s Privacy Policy (Dassault Systèmes Privacy Policy).