4C Pharma Solutions LLC (“4C”, “we”, “our”, or “us”) is committed to protecting the privacy and personal data of individuals, particularly in the context of our pharmacovigilance, regulatory, and safety services. This Privacy Policy outlines how we process, use, disclose, and safeguard personal data as per regulatory requirements including data transferred from the European Union (EU), United Kingdom (UK), and Switzerland to the United States under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Legal Name:
4C Pharma Solutions LLC
15 Corporate Place South, Suite 110, Piscataway, New Jersey, USA. 08854
4C Pharma Solutions (4C Pharma) is a comprehensive healthcare solutions company specializing in Pharmacovigilance, Medical Information Call Center, Regulatory Affairs, Medical Writing and Hosting Solutions. Visit us at https://www.4cpharma.com/ for more information.
4C Role: We act as a data processor on behalf of our clients, who are the data controllers. This means we process personal data strictly under their instructions to fulfill our contractual obligations. Our clients include pharmaceutical companies, biotech firms, and clinical research organizations (CROs).
Affirmation statement
4C Pharma Solutions LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. 4C has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. 4C has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This policy applies to all personal data and, where relevant, personal health information (PHI) that we process relating to individuals in the European Union (EU), United Kingdom (UK), India, Canada, Australia and USA. It also applies to all personal data received by 4C Pharma in the United States from the EU, UK, and Switzerland in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Frameworks (DPF), including but not limited to:
- Patient Health Information
- Healthcare professional data
- Client and vendor data
- Human resources (HR) data
- Clinical trial data
Types of Personal Data
As a pharmacovigilance service provider, we handle data that is critical for drug safety and public health. This data is essential for identifying, assessing, understanding, and preventing adverse effects of medicinal products. We may process the following categories of personal data:
- Pharmacovigilance data: Adverse event reports, Source document, medical histories, patient data/ demographics, Medical records, insurance information, diagnoses, treatments (for HIPAA-covered entities).
- Professional data: Names, contact details, qualifications of healthcare professionals
- HR data: Employee records, payroll, benefits, performance data
- Client/vendor data: Business contact information, contractual details
- Regulatory data: Clinical trial information, regulatory submissions
Data Privacy Framework Compliance
4C Pharma adheres to the following DPF Principles:
Notice:
- We are transparent about the types of personal data we process, the purposes for which we process it, and our legal basis for doing so.
Choice:
- We process data as a data processor under the instructions of our clients. Individuals may opt out of disclosures or uses beyond original purposes. For sensitive data, individuals will be asked to provide affirmative express consent (opt in) before their personal data is shared with third parties other than agents, or before their personal data is used for a purpose other than which it was originally collected or subsequently authorized. Accountability for Onward Transfer:
- 4C ensures third parties must provide equivalent protection. We remain liable for onward transfers.
- 4C ensures all onward data transfers to sub processors, business partners, and regulatory bodies are secured by contracts requiring equivalent privacy standards.
Security:
- We have implemented safeguards against unauthorized access or loss.
- We have Implemented robust administrative, physical, and technological control including role-based access, data encryption in transit and at rest, frequent security checks, and secure data transfer protocols
- Data Integrity and Purpose Limitation:
- We take all reasonable steps to ensure that the data we process is accurate, complete, and relevant for its intended use.
- Use personal data solely for pharmacovigilance activities and regulatory purposes.
Access:
- Individuals may access, correct, amend or delete their data except when legal or safety reporting requirements take precedence.
- Recourse, Enforcement, and Liability:
- We conduct internal reviews and have provided dispute resolution mechanisms in section 5.11 of this policy.
- Purpose of Data Processing
- We process personal data for the following purposes:
- Pharmacovigilance and safety reporting
- Regulatory compliance and submissions
- HR and employment administration
- Client and Supplier relationship management
- Legal and contractual obligations
- Managing our services
- Emergencies, public interest, or as otherwise required or permitted by law.
- Third-Party Disclosures
We may be required to disclose personal data to the following entities:
- Our Clients (Data Controllers): We transfer the processed data back to our clients, who are legally responsible for submitting adverse event reports to health authorities. For few of the clients we are responsible for submitting adverse event reports to health authorities on their behalf.
- Regulatory Authorities: We may be legally obligated to disclose information to health authorities like the U.S. FDA, the European Medicines Agency (EMA), or other regulatory bodies. In certain situations, we may also be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- Sub-processors: We may use other service providers (sub-processors) to assist us with our services. We enter into an agreement with each sub-processor, ensuring they comply with the regulatory requirements and provide the same level of data protection.
- Legal and compliance advisors: In the event of a legal dispute, regulatory inquiry, or internal investigation, we may share relevant data with legal/compliance advisors to assess risk, respond to authorities, or defend our interests.
Independent Recourse Mechanism (IRM)
- 4C Pharma has selected BBB National Programs as its independent recourse mechanism. please visit http://www.bbbprograms.org/dpf-complaints for more information and to file a complaint
- We commit to the DPF’s binding arbitration mechanism for unresolved complaints, administered by the ICDR-AAA.
- We retain personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by applicable laws and regulations.
Individuals may:
- The right to Request access to their personal data
- The right to request a copy of your personal data that 4C Pharma holds about you
- The right to request 4C Pharma to rectify your inaccurate or out of date personal data
- The right to request that your personal data is deleted when it is no longer necessary for 4C Pharma to retain such data
- The right to withdraw any consent (where applicable) to personal data processing at any time.
- The right to request 4C Pharma to provide you with your personal data and, if possible, to pass on this information directly (in a portable format) to another data controller when the processing is based on consent or contract
- The right to request a restriction on further data processing in case there is a dispute in relation to the accuracy or processing of your personal data
- The right to object to the processing of personal data, in case data processing has been based on legitimate interest and/or direct marketing
File a complaint with the relevant supervisory authority. To exercise these rights, contact us at: dpo@4cpharma.com
We conduct periodic audits and training to ensure compliance with this policy and the DPF Principles. Violations are addressed promptly and may result in disciplinary action. With respect to personal data received or transferred pursuant to the DPF Program, 4C is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
For questions or complaints regarding this policy or our DPF compliance contact our DPO:
Asif Mohammed
4C Pharma Solutions LLC
15 Corporate Place South, Suite 110, Piscataway, New Jersey, USA. 08854
Email: asif@4cpharma.com
Phone: +1 (732) 529-6989
4C commits to resolve any privacy related complaints
In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), 4C commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact 4C DPO (Refer section 5.10).
We have further committed to refer unresolved privacy complaints under the DPF Principles to our IRM Provider (BBB National Programs); an independent dispute resolution mechanism located in the United States.
If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For more information about the binding arbitration process, please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction .
This service is provided free of charge to you.
For complaints involving human resources data transferred from the EU, UK, or Switzerland in the context of the employment relationship, we commit to cooperate with the EU data protection authorities (DPAs- https://www.edpb.europa.eu/about-edpb/about-edpb/members_en), the UK Information Commissioner’s Office (ICO- https://ico.org.uk/make-a-complaint/), and the Swiss Federal Data Protection and Information Commissioner (FDPIC- https://www.edoeb.admin.ch/en/contact-2), as applicable, and comply with their advice.
4C will update this policy as per 4C review process. Changes will be posted on our website with the updated effective date. 4C Pharma reserves the right to amend this Privacy Statement at any time. The applicable version will always be found on our websites.
Misrepresentation and Enforcement
4C Pharma will not claim DPF participation until the self-certification is finalized. Any misrepresentation may be subject to enforcement by the relevant authorities.
Your data may be accessed by our staff and trusted partners, strictly as necessary for the above purposes.
For HIPAA-covered entities, your PHI is disclosed only as permitted under the HIPAA Privacy Rule.
Data may be shared with third parties or processors under binding agreements meeting GDPR/DPA/DPDPA requirements, ensuring data protection standards are maintained.
We may transfer personal data outside your jurisdiction, only to countries providing adequate protection and subject to appropriate safeguards.
We use cookies and similar technologies for website functionality and analytics. Details are provided in our Cookie Policy.
- Use of sub-contractors (processors and sub-processors)
- We may use sub-contractors to process personal data on our behalf (if applicable); we are responsible for making sure they commit themselves to adhere to this Privacy Policy and applicable data protection legislation by signing a Confidentiality Disclosure Agreement.
- If the sub-contractor processes Personal Data outside the EU/EEA area, the UK or Switzerland, such processing must be in accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF, EU Standard Contractual Clauses for transfer to third countries, or another specifically stated lawful basis for the transfer of personal data to a third country.
- If a new sub-contractor is signed or a change of sub-contractor is performed related to our services, the customers will be notified in line with our Terms of Service.
We have implemented appropriate organizational and technical security safeguards, including encryption, access controls, and regular risk assessments to protect your data against unauthorized access, loss, or disclosure. In the event of a personal data breach, we will notify affected individuals and authorities as required (GDPR/UK GDPR/DPA: within 72 hours; HIPAA: within 60 days).
Types of Data We Do Not Process: We do not process personal data for marketing, advertising, or any other commercial purposes unrelated to pharmacovigilance
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, 4C Pharma shall promptly assess the risk to people’s rights and freedoms. If appropriate, the following actions will be taken:
DPO will initiate the breach response protocol by coordinating with external authorities
Notify 4C IRM Provider and U.S. Department of Commerce (if applicable) and cooperate with them in resolving complaints related to the breach.
Notify affected individuals without undue delay, especially if the breach poses a high risk to their rights and freedoms.
Information shall be provided with respect to Nature of the breach, Data affected, Action plan, Contact details for further inquiries
Breaches will be reported to responsible authorities within 72 hours of becoming aware
In the event breach involves HR data or if individuals file complaints through their Data Protection Authorities, 4C will Cooperate with the relevant DPA and provide documentation and updates as requested
4C is committed to comply with final DPF review decisions.
Data Breach Notification Requirements by Jurisdiction
|
Jurisdiction |
Regulatory Authority |
Reporting Timelines |
Method of Communication |
Communication Email / Phone |
|
EU (GDPR) |
Different Authorities within EU |
Within 72 hours |
Online portal or official email |
Varies by country- Refer link for National Data protection authorities https://www.edpb.europa.eu/notify-data-breach_en |
|
UK (UK GDPR) |
Information Commissioner’s Office (ICO) |
Within 72 hours |
Online breach reporting form |
casework@ico.org.uk / +44 303 123 1113 |
|
U.S. (HIPAA) |
HHS Office for Civil Rights (OCR) |
Within 60 days (if ≥500 individuals affected) |
Online form via HHS website |
OCRPrivacy@hhs.gov / 1-800-368-1019 |
|
FTC (DPF enforcement) |
Federal Trade Commission (FTC) |
Prompt notification if breach affects DPF compliance |
Email or formal letter to FTC |
No direct email; contact via https://www.ftc.gov |
|
EU-U.S. DPF |
U.S. Department of Commerce (ITA) and FTC |
Prompt notification expected |
Email or formal letter |
dpf.program@trade.gov / +1 (202) 482-1512 |
|
Canada (PIPEDA) |
Office of the Privacy Commissioner of Canada (OPC) |
As soon as feasible if risk of significant harm |
Online form or email |
breach@priv.gc.ca / +1 800 282 1376 |
|
Australia (Privacy Act) |
Office of the Australian Information Commissioner (OAIC) |
Within 30 days of becoming aware |
Online form via OAIC website |
enquiries@oaic.gov.au / +61 1300 363 992 |
RELATED GUIDELINES, DOCUMENTS AND REFERENCES
Data Privacy Framework Program- https://www.dataprivacyframework.gov/
GDPR- https://gdpr-info.eu/
HIPAA- https://www.hhs.gov
