The objective of FMR is to carry out Market Research involving Health Care Professionals, patients or consumers.

Context

The General Data Protection Regulation issued by the European Union (“GDPR”) and effective 25 May, 2018, refers to the protection of the privacy rights of individuals (for example, tighter restrictions around consent, the right to be forgotten, the type and amount of personal data that can be utilized, data access and security, etc.) beyond those protections that have already been in place for some time in the European Union and in many other countries around the world.

As such, the protection of personal data is a top priority.
FMR GLOBAL HEALTH is compliant with the guidance and requirements of the professional code of conduct applicable to all registered market research companies (ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics) and all current existing local regulations, especially as far as the protection of respondents’ data is concerned.
In addition, FMR has adopted the Cyber security code of conduct with IT Security and Information Management policies to ensure the safeguarding and protection of the personal data of its customers, respondents and employees.
Its mandate is:

  • To ensure that personal data are appropriately treated and protected.
  • Anonymised data and access security – For respondents anonymization techniques are used to protect respondents’ personal data as part of its data collection operations so that access is restricted to its fieldwork teams in its operations units solely on a need to know basis.*
  • The same policy applies for customer provided samples, online panellists and off-line respondents.

*ICC/Esomar International Code on Market, Opinion and Social Research and Data Analytics (https://www.esomar.org/what-we-do/code-guidelines)
For our employees The access to employees’ personal data is strictly limited to the relevant staff in charge of human resources management.
FMR GLOBAL HEALTH implemented various encryption solutions, notably on all employees’ laptops as well as databases containing special (sensitive) categories of personal data such as data concerning health, political opinions, etc.
For Partners or Suppliers FMR GLOBAL HEALTH enforces procedures in order to select Partners processing personal data based on their capacity to comply with data protection requirements. This means that all Partners must sign an agreement including data protection clauses and that no supplier can transfer any personal data unless they agree to appropriate safeguards and obtain customer consent. Additionally, our Partners cannot subcontract part of the personal data processing services to sub-processors without prior approval.

Data transfers

Contractual measures were put in place for cross border data transfers. When a data transfer is required in a country recognized as not having an adequate level of data protection, FMR ensures that EU Standard Contractual Clauses are in place, implementing appropriate technical and organisational measures for the protection of the personal data.

Depending on the services required the following actions will be undertaken:

  • Health Care Professionals, patients, caregivers and consumers recruitment
  • Carry out interviews, face-to-face, in studio, online (web-assisted), over the phone or in-field
  • Simultaneous translation or voice-over
  • Compensation of the respondents
  • Transcription or delivery of the information collected during the interviews, such as filled in questionnaires
  • Translation of materials
  • Consolidated data analysis

FMR will ensure that data delivered are totally anonymized and that the process abides to the laws and rules applying to data protection as laid out by the General Data Protection Regulation (GDPR) as of May 25th 2018.

Data Protection Principles

The GDPR imposes significant requirements for organisational compliance measures and safeguards such as enshrining privacy by design and default; use of data protection impact assessments (DPIA’s); keeping comprehensive data processing records and mandatory reporting of data breaches. Most importantly is accountability, requiring that data controllers are responsible for, and are able to demonstrate compliance with, the following six general privacy principles:

  • Lawfulness, fairness and transparency – Personal data is processed lawfully, fairly and in a transparent manner. Purpose limitation – Personal data is obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing is allowed for archiving, scientific, statistical and historical research purposes.
  • Data minimisation – Personal data processed is adequate, relevant and limited to what is necessary.
  • Accuracy – Personal data is accurate and, where necessary, kept up to date.
  • Storage limitation– Personal data is not kept longer than is necessary (but data processed for archiving,scientific, statistical and historical research purposes can be kept longer subject to safeguards).
  • Integrity and confidentiality – Appropriate technical and organisational measures are put in place to guard against unauthorised or unlawful processing, loss, damage or destruction.

Personal Data

GDPR covers personal data i.e. information relating to an identified or identifiable natural person; who can be identified directly or indirectly by that data on its own or together with other data.
Personal data is categorised as special data and this essentially is sensitive personal data covering religious or philosophical beliefs, health, racial or ethnic origin, trade union membership, political beliefs, sex life or sexual orientation, genetic data and biometric data (including photos when used for the purpose of uniquely identifying a natural person) of individuals. The collection and use of special data are subject to greater restrictions than other types of personal data.

In the research context it is important to recognise that there is a difference between data that identifies a participant in a market, opinion and social research project from data obtained from participants during fieldwork such as responses provided, opinions expressed, etc. The first category of identifiable demographic details (personal data) but the responses of participants will only be considered as personal data when they can be linked to the demographic details (or if the responses themselves have identifiable details within them). Sound and video recordings and still images should always be considered as personal data in light of the ease of linking these to a person.
Ease of technology in doing this means that there is a higher risk of re-identification of this type of materials. Transcripts of recordings are used in order to properly anonymise them. Researchers separate these different categories of information and resort to anonymisation of personal data as working with anonymised data (i.e. participant responses which cannot identify an individual), the requirements of the data protection rules are no longer applicable. Data can also be “pseudonymised”. Pseudonymised data is personal data that has been processed so that it can no longer be attributed to a specific data subject without the use of additional information such as a unique identifier which can make the data identifiable. An original string of data even without the identifier can still be personal data (in the hands of an organisation that holds both the dataset and the identifier) since it can be matched again with the original database to make the data in a string identifiable. In order to become pseudonymised data the additional 4 Article 4 (1) GDPR. 5 Information about criminal convictions and offences is treated separately and is subject to tighter controls. Conducting Research under the GDPR: Legal Bases June 2017 v.1.4 7 information must be kept separately and held subject to adequate technical and organisational measures. The data can then be considered as pseudonymised data even where the identifier is kept within the same organisation.6 Pseudonymised data is still personal data but pseudonymisation of the data is a security technique that provides a mechanism for reducing the level of exposure under the GDPR. The transition from personal data sets held by researchers through to pseudonymised and anonymised datasets is set out in Figure 1.

Figure 1:

FMR researchers take steps to anonymize data at an early step in the research cycle and follow regulatory guidance to keep up to date with the limits of effective anonymization in a digital environment.
Regulators do not look to absolute impossibility of identification rather they consider the likelihood of re- identification occurring. GDPR sets out a clear preference for processing personal data used in research to the point where data subjects cannot be identified.

GDPR does not apply to data that does not relate to or identify an individual, such as aggregated data sets that show general trends without identifying people or commercial data such as sales or revenue figures which do not contain personally identifiable information.
FMR employees are obliged to follow policies and procedures regarding confidentiality, security and privacy. We adhere to the following industry requirements:

  • ESOMAR professional Codes of Conduct.
  • EphMRA (European Pharmaceutical Market Research Association).
  • General Data Protection Regulation (GDPR) and any subsequent legislation, which may be amended from time to time.

Accuracy:
Reasonable steps are taken to keep personal information in our possession or control, which is used on an on- going basis, accurate, complete, current and relevant, based on the most recent information available to us.
Children’s data collection:
We never knowingly invite children under the age of 16 years to participate in research studies without
consent. If it is necessary and appropriate to a particular project to directly involve children under the age of 16 years, we take measures to ensure we have been given permission by their parent or legal guardian. This must be verified with ID from that individual and they must confirm that no further consent from any other parent or guardian is required.

Rights of individuals:
Health Care Professionals, patients, caregivers and consumers have the right to request access to personal information.
Under current EU data protection laws, all participants have right to access, rectify or erase your personal information from our systems, unless we have legitimate interest reasons for continuing to process it.
Under current EU data protection laws researchers are not authorized to make any individual analysis but only consolidate analysis of all respondents.
From 25 May 2018 individuals have the following rights in relation to personal information:

  • Right to change your mind and to withdraw consent.
  • Right to access personal data
  • Right to erase personal data from our systems, unless there is a legitimate interest reasons for continuing to process the information
  • Right to port personal data (portability right), if appropriate
  • Right to restrict processing of personal data
  • Right to object to the processing of personal data

Principles relating to processing of personal data

Definition: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Under the OECD Privacy Principles any personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Generally, national laws provide a number of lawful and fair grounds, but in most instances, researchers will be obliged to rely on consent.
Consent must be:

• free (voluntary and able to be withdrawn at any time);
• specific (relating to one or more identified purposes);
• informed (in full awareness of all relevant consequences of giving consent). Consent must also be clearly indicated by a statement or action by the data subject having been provided with the information set out under items below:
-he or she should be informed about
(a) the use to which his or her personal data will be put;
(b) the specific data to be collected;
(c) the name, address, and contact information of the company or organisation collecting the data and, if not the same organisation, the data controller
(d) whether data will be disclosed to third parties.

Data storage and retention:
Personal information will be retained only for such period as is appropriate for its intended and lawful use, in this case we shall retain data for no longer than 6 months after which they will be destroyed them with proof of this destruction, unless otherwise required to do so by law. Personal information that is no longer required will be disposed of in ways that ensure their confidential nature is not compromised.
All archives are retained for a defined period of time in a strictly controlled environment. Once expired, the data is deleted and the physical media destroyed to ensure the data is erased completely.
The use of appropriate security safeguards to provide necessary protection includes:

• physical measures (locked filing cabinets, restricting access to offices, alarm systems, security cameras)
• technological tools (passwords, encryption, firewalls)
• organisational controls (background checks, rules relating to taking computers off-site, limiting access on a “need-to-know” basis, staff training, agreements with clients and subcontractors)

The security policy also includes a procedure for dealing with a potential data breach in which personal data is disclosed. In the case of secondary data collected by another party, such as a client’s database, that party must be informed immediately. Data subjects whose data was disclosed also must be notified if the disclosure exposes them to some risk (e.g. identity theft) and appropriate steps taken to protect against that risk.

Photographs, audio, and video recordings

A number of new research techniques create, store, and transmit photographs, audio, and video recordings as part of the research process. Two prominent examples are ethnography and mystery shopping.
Photographs, audio, and video recordings are personal data and must be handled as such.
Some types of observational research may involve photographing, videoing or recording in public settings involving people who have not been recruited as data subjects. In such instances, researchers need permission to share such images from those data subjects whose faces are clearly visible and can be identified. If permission cannot be obtained, then the data subject’s image should be pixelated or otherwise anonymised. In addition,
clear and legible signs should be placed to indicate that the area is under observation along with contact details for the individual or organisation responsible. Cameras should be sited so that they monitor only the areas intended for observation.
Audio and video recordings will not be stored more than 6 months, after which they will be destroyed them with proof of this destruction, unless otherwise required to do so by law.

It has also been agreed that all FMR partners will abide to the following:

ARTICLE 1 – CONTRACTUAL OBJECT

The Partner will carry out its services for FMR in compliance with the professional codes of conduct and of Pharmacovigilance applying to medical Market Research.

ARTICLE 2 – PROVISION OF SERVICES

In order to carry out its mission, the Partner will resort to its knowledge, techniques and experience. The services carried out, the reports established, the conclusions drawn and the opinions formulated are in accordance with the most rigorous state of the art of the profession.

The Partner agrees to carry out its services in compliance with the legal dispositions and any other rules that may apply with all the necessary professional care and diligence.

The Partner agrees to never offer, promise or make any payment, any remuneration or provide direct or indirect advantages of any kind to civil servants, employees of regulatory decision bodies, health care professionals, governmental organizations, public institutions of any kind that constitute or may constitute an illegal action or an act of corruption in exchange for the realization of the contract.

The Partner also agrees to never offer, promise or make any payment or provide direct or indirect advantages of any kind to any FMR employee in order to obtain or influence the conclusion of a contract with FMR. Any such practice will be grounds for immediate termination of this Agreement.

The Partner agrees to provide the necessary means, human and materials, for the realization of the Services. To carry out the Services covered by this Agreement, the Partner will resort to qualified personnel. The collaborators of the Partner are under its sole responsibility and will receive instructions from the Partner only in its quality of employer, excluding any subordination relationship with FMR.

The Partner, as employer, is the sole responsible for work organization and for the work schedule of its employees.

The Partner will be sole responsible for the mistakes the Partner or the personnel the Partner will have assigned to the realization of its services, as well as for any delay or defects of any kind impacting the delivery of the services and/or their quality.

The Partner agrees to comply with any administrative, fiscal or social duties necessary to the compliance to the current legislation and declares abiding by the law. FMR shall not be held responsible if it were to be otherwise.

Any digital or document-based document delivered to FMR by the Partner in the framework of the Services carried out will be exempt of virus. The Partner agrees to destroy the files FMR will have provided once the Services are carried out.

ARTICLE 3 – DURATION AND TERMINATION

The present Agreement will be valid for every project FMR and the Partner will work together on. FMR reserves the right to amend this agreement at any time.

Each party can, in case of characterized non-compliance by the other party to the present Agreement, by way of notice, remind the other party of its obligation to fulfil its obligations. If the said notice, send by registered letter with acknowledgement of receipt, has not been answered within fifteen (15) days from the moment the letter was received, the present Agreement can be terminated without notice via registered letter with acknowledgement of receipt sent to the defaulting party without prejudice to any damages the complaining Party may claim.

The contract will be terminated without notice if the default is substantiated and cannot be overcome due to its nature.

ARTICLE 4 – CONFIDENTIALITY

The Partner agrees to consider all the materials and information provided by FMR or its affiliates, as well as any information it may produce or to which the Partner may have access to within the present Agreement, hereinafter “Confidential Information”, as strictly confidential.

The Partner therefore agrees not to share nor make accessible any of that information to any third party, directly or indirectly. The Partner also agrees to destroy all the files provided by FMR at the end of each mission the Partner has been assigned to.

The Partner agrees to take all necessary measures to ensure confidentiality is preserved and to inform its personnel of the dispositions in the present Agreement and to make sure these rules are abided to. The Partner will guarantee those dispositions are respected by its personnel or its potential subcontractors.

The obligation of confidentiality will not apply if the Partner can prove the following:

  • That the Partner already had this information when the Partner received the said information from FMR.
  • That the said information is in the public domain otherwise than by the Partner’s fault or negligence.
  • That the said information was already in the public domain when the Partner received it from FMR.
  • That the said information is to be revealed in accordance with a legal obligation or a non-equivocal regulation, with a court decision or with the request from an administrative authority to which the Partner must comply.

The present confidentiality obligations will remain after termination of the agreement, for any reason whatsoever, with no limitation in time others than the dispositions of the present Agreement.

ARTICLE 5 – DECLARATION OF THE PARTNER

In any event the Partner declares:

  • Complying with all legal prescriptions, regulatory or administrative governing its activities as described in the present contract.
  • Being able, with no restrictions whatsoever, to carry out the Services described in the present provisions and to arrange all the necessary administrative authorizations and to respect any legal, regulatory or administrative prescription as well as the ethical code of professional conduct directly or indirectly in connection with the present Agreement.
  • Not being in default of payments or be the object of any collective proceedings.

ARTICLE 6 – FILES AND DATA BASES

FMR may have to give the Partner access to files or data bases allowing the Partner to carry out the requested Services.
The Partner agrees to use the data bases and the data exclusively in the name of and for FMR and its client within the determined framework of the mission and the Partner agrees not to use them directly or indirectly for any other purposes. The Partner agrees to:

  • MaintainthestrictestconfidentialityregardingtheinformationpassedontothePartnerbyFMRandtouse them exclusively in order to carry out the Services for the sole benefit of FMR and its client. The Partner also agrees to reveal the said information only to the personnel who may need it in order to carry out the Services. The Partner is forbidden to communicate Confidential Information to anyone else, at the exception of the members of staff above mentioned.
  • The Partner agrees to use the Confidential Information exclusively within the framework of the Services and exclusively in the name of FMR and its client.
  • The Partner agrees to forbid access of a third party or to make Confidential Information available to a third
    party, even for free, directly or indirectly and even out of negligence, the entirety or parts of the Confidential Information provided by FMR.
  • The Partner agrees to not extract and/or re-use the structure, template or content of the database provided by FMR for any other use than authorized to carry out the Services for the sole benefit of FMR and its client.
  • The Partners agrees to not use the data, the model, the structure of the data base provided by FMR in order to sell, constitute, update or improve commercial data base.
  • The Partner agrees to control access to the data provided by FMR and to take any necessary safety measure in order to ensure that only the members of the personnel and the collaborators who expressly need it can access the data in order to carry out the Services for FMR and for the sole benefit of FMR and its client.

ARTICLE 7 – DATA PROTECTION AND CIVIL LIBERTIES LAW

Each party guarantees they are committed to undertake all the declarations needed regarding their files and more generally to respect their obligations regarding the automatic processing of personal data according to the current legislation (as amended May 26th 2018).

ARTICLE 8 – TRANSFER OF THE RIGHTS AND SUBCONTRACTING

The present Agreement is intuitu personae regarding the specific competences and qualifications of the Partner and the mutual trust between the Partner and FMR.
The Partner will not transfer its rights and obligations to the contract to any third party, in any form or in any way, be it only for a short period of time nor be considered part of the company unless FMR expressly gave its prior consent.

ARTICLE 9 – RESPONSIBILITIES – INSURANCES

The Partner shall bear the sole responsibility of the perfect execution of the Services. Therefore, in case of any fault or defect, negligence, breach, omission, or poor execution for which the Partner is responsible or for which any person directly or indirectly involved under the control of the Partner, the Partner shall repair the totality of the damages caused to FMR.

ARTICLE 10 – PHARMACOVIGILANCE / MATERIOVIGILANCE

The Partner will be trained to FMR’s internal Pharmacovigilance process.
Equally, and before any activity, the Partner will be trained to the Pharmacovigilance process specific to FMR’s client and for whom the Services will be provided. These processes will have to be enforced by the Partner and its personnel.

FMR must be informed immediately, as soon as it is brought to the Partner’s knowledge, of any information regarding Pharmacovigilance or vigilance in general concerning a product of FMR’s client (drug, food supplement, cosmetics, medical device), regardless of this information being initial or complementary, and more particularly in case of :

  • Adverse Event (AE), serious or not,
  • Incorrect use of a product of FMR’s client, with or without Adverse Event (AE),
  • Overdosing, with or without AE,
  • Intentional misuse of a product of FMR’s client, with or without AE,
  • A medication error, with or without AE,
  • Lack or absence of efficacy,
  • An improved therapeutic effect or an unexpected beneficial effect,
  • Interaction between a product of FMR’s client and other medications, food, tobacco, alcohol or radiation,
  • Exposure to a product of FMR’s client during pregnancy, with or without AE,
  • AE after exposure to a product of FMR’s client when breastfeeding,
  • Exposure of the father or the mother to a product of FMR’s client at the moment of conception, with or without AE,
  • AE following professional exposure,
  • AE due to a default in quality, design or counterfeit of a product of FMR’s client
  • Suspicion of infectious agent transmission by a product of FMR’s client,
  • Incident or risk of incident with a medical device of FMR’s client.

The information must be forwarded the same day to FMR and via email directly to the project manager who will in turn liaise with the client’s Pharmacovigilance department.

ARTICLE 11 – LITIGATIONS

In the event of dispute between the parties regarding the interpretation, the execution of the contract, or lack of it thereof, and provided the parties do not reach an agreement, the Paris commercial court will be the sole competent jurisdiction for all claims, even incidental, in intervention or appeal in guarantee, or in the case of multiple defendants.
EphMRA (European Pharmaceutical Market Research Association) Guiding principles that underpin the Code of Conduct:

  1. Subjects MUST be able to provide voluntary, informed consent to data collection and use, based upon a clear understanding of the purpose of the data collection and the use(s) to which the data will be put.
  2. The rights of the subjects MUST be observed, including rights to confidentiality, anonymity and the right to withdraw at any stage.
  3. Market research MUST be kept separate from any form of promotion or selling, it MUST NOT be a vehicle for disguised promotion.
  4. Subjects MUST be treated fairly and reasonably, with care and courtesy.
  5. Subjects MUST be protected for the duration of the study – not harmed, exposed, disadvantaged or made to feel uncomfortable in any way. Confidence in market research MUST NOT be abused.
  6. Data collection MUST be adequate, relevant and limited to the purpose (s) for which it is processed. Researchers MUST be transparent about the personal data they plan to collect, the reason(s) it is being collected and who it will be shared with.
  7. Data MUST be processed fairly and lawfully, and only used for the specific and lawful purposes for which it was obtained. Personal data must be accurate and up to date. It must be processed in accordance with the rights of individuals within national and international data protection and privacy legislation.
  8. There MUST be no unauthorized or unlawful processing, loss, destruction or damage to personal data. You must take appropriate technical and organizational measures to keep data safe.
  9. Data can only be transferred, to a third party or overseas, when adequately protected.
  10. Personal data MUST NOT be kept beyond the time required to fulfil the immediate purposes of the study.
  11. Researchers MUST behave ethically; they MUST NOT undermine or damage the reputation of healthcare market research. They MUST NOT disparage or appear to disparage competing companies or products.
  12. Researchers MUST conduct market research accurately, transparently, objectively and of appropriate quality.

FMR GLOBAL HEALTH is committed to protecting the personal data of its customers, respondents and employees. If you have any questions or require any further clarification, please contact Thierry Rollin who has been elected as responsible for data protection.