EU-US Privacy Shield Policy


The Regulatory & Clinical Research Institute, Inc. (RCRI) is a contract research organization that provides regulatory affairs and clinical research consulting services to medical product manufacturers (hereinafter termed as “Sponsor”). As such, it enters into contractual relationships that specify the terms and conditions under which RCRI will assist in the design, implementation, data storage, analysis, and report generation of the outcomes of clinical research projects performed under the sole authority of the Sponsor. The Sponsor typically holds all title, rights, and responsibilities for the data provided to RCRI. The RCRI-Sponsor contracts expressly forbid RCRI from uses or disclosures of the Sponsor’s data or other confidential information outside the documented work instructions of the Sponsor, or as required by law.

Privacy Policy Statement

RCRI respects the relationships we have with our Clients and respects the privacy of patients, healthcare providers, business partners and others whose Personal Information (see Definitions) may be processed by RCRI in the performance of our services, including individuals participating in clinical research studies. RCRI provides an adequate level of protection with respect to transfer of personal data out of the EU to other countries for the performance of our services. To meet the adequacy requirement with respect to these transfers, RCRI adheres to the EU-US Privacy Shield Framework (i.e., the Privacy Shield Principles and the Supplemental Principles; hereinafter the “Principles”) as set forth by the U.S. Department of Commerce for the collection, use, and retention of personal information obtained from European Union member countries. RCRI certifies that it adheres to the relevant Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability in fulfilling its relevant contractual responsibilities assigned by the Sponsor for the receipt, processing, storage, and reporting of data. If there is any conflict between the policies in this Privacy Policy and the Principles, the Principles shall govern. This Privacy Policy outlines our general policies and practices for implementing the Principles. This Privacy Policy applies to all Personal Information (see Definitions) originating from E.U. Member States and provided to RCRI whether in electronic, paper, or oral format, including Personal Information relating to investigators or participants in clinical trials where RCRI provides services to Sponsors as a clinical research organization. This Policy does not apply to information or data other than as described above. This Privacy Policy is publicly displayed at “”. For more information about the Privacy Shield Program, and to view our certification page, visit the U.S. Department of Commerce’s website at


For purposes of this Privacy Shield Policy, the following definitions apply: “Client” or “Sponsor” means any individual, corporation, or other entity which contracts RCRI to perform services involving the transfer, processing, or reporting of Personal Information on behalf of and under the instructions of said “Client”/“Sponsor”. “Personal Information” or “Information” means information that (1) pertains to a specific individual; (2) can be uniquely linked to that individual (e.g., by name, social security number, driver’s license); (3) originated in an E.U. Member State: and, (4) is provided in any form. Personal Information does not include information that is encoded, stripped of all personal identifiable information, or that is publicly available. “Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns the health or sex life of an individual. RCRI will also treat as Sensitive Personal Information any information received from a Sponsor where that Sponsor treats and identifies the information as sensitive. “Subcontractor” means any individual, corporation, or other entity under written contract with RCRI to assist in fulfilling the responsibilities assigned by the Sponsor.

Privacy Principles

The following privacy principles are based on the Privacy Shield Principles and the definitions applied therein.

Notice RCRI acts solely as an agent of the Sponsor. In this capacity, RCRI may be assigned the responsibility to collect Personal Information directly from study subjects, study investigators, or other sources in the E.U. or may receive such Personal Information directly from the Sponsor. The latter holds legal authority for conduct of the clinical research. RCRI is contractually forbidden from independently releasing the Personal Information to third parties or using the Personal Information in a manner outside the scope of documented work instructions, or as required by law. The provision of study subjects’ rights for “Notice” as stated in the Principles is under the control of the Sponsor and is implemented via an informed consent process which describes the purposes for which the data are collected and used and to what third parties their data are provided as well as how to contact the Sponsor or RCRI in the event of inquiries or complaints. Should RCRI determine that fulfillment of its responsibilities will require that a study subject’s right of “Notice” be expanded beyond that provided in the Sponsor’s original informed consent process, RCRI will notify the Sponsor and assist the latter in the provision of “Notice” prior to initiating the requested work activities. RCRI may not need to furnish notice where Personal Information disclosure is necessary to respond to a lawful government inquiry, is required /authorized by law, court orders or government regulations.


When RCRI is contractually requested to provide guidance to the Sponsor regarding the informed consent process for study subjects in the E.U., RCRI will recommend incorporation of the provisions pertaining to “Choice”. The Sponsor alone holds the legal authority to provide study subjects the choice to (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Similarly for Sensitive Personal Information, RCRI is under the legal authority of the Sponsor to give individuals the opportunity to affirmatively or explicitly choose (opt in) to allow the disclosure of their Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or to be disclosed to a third party. In some cases, even if an individual opts-out of disclosures of their Personal Information, RCRI may still disclose such Personal Information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if RCRI believes disclosure is necessary to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.

Accountability for Onward Transfer

RCRI may share Personal Information with its subcontractors or other agents of the Sponsor as necessary to successfully fulfill the work instructions provided by the Sponsor. RCRI may, for example, provide such Personal Information to subcontractors hosting our databases, to core laboratories participating in the research project, or to study subjects that request copies of the Personal Information collected by the Sponsor. In the latter two examples, the authority for “onward transfers” is held by the study Sponsor. RCRI will obtain assurances from its subcontractors that they will safeguard Personal Information consistently with this Privacy Policy. Examples of appropriate assurances that may be provided by subcontractors include: a contract with provisions obligating the subcontractor to provide at least the same level of protection as is required by the relevant Privacy Shield Principles, being subject to the EU Data Protection Directive, Privacy Shield certification by the subcontractor, having Binding Corporate Rules approved by the European Commission, or being subject to another European Commission adequacy finding (e.g., Argentina, Canada, Guernsey, or Isle of Mann). Where RCRI has knowledge that a subcontractor is using or disclosing Personal Information in a manner contrary to this Privacy Policy, it will take reasonable steps to prevent or stop the use or disclosure. RCRI may also be required to disclose Personal information in response to a lawful request by public authorities, including meeting national security or law enforcement requirements. If RCRI shares data of EU individuals received pursuant to the EU-US Privacy Shield with a subcontractor, then RCRI will be liable for that subcontractor’s processing of the data in violation of the Privacy Shield Principles, unless we can prove that we are not responsible for the event giving rise to the damage.


EU individuals have a right to access Personal Information about them processed under Privacy Shield. RCRI is contractually prohibited from releasing or otherwise disclosing Personal Information received from or on behalf of the Sponsor without written permission from the Sponsor, or as required by law. All requests for “Access” will be forwarded to the Sponsor for processing and RCRI will abide by any resulting instructions to correct, amend, or delete Personal Information about themselves.

Data Security

RCRI shall take reasonable steps to protect the Personal Information in its possession from loss, misuse, unauthorized access, unapproved disclosure, erroneous alteration, and unintended destruction. RCRI has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure Personal Information. RCRI cannot guarantee the security or accuracy of Personal Information recorded, transcribed, or processed prior to its receipt or subsequent to its surrender to the Sponsor. RCRI is not responsible for the illegal acts of third parties or the consequences of such acts.

Data Integrity and Purpose Limitation

RCRI is contractually bound to process Personal Information only in a manner that is consistent with the responsibilities assigned to it by the Sponsor. To the extent necessary and appropriate for those purposes, RCRI shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.

Recourse, Enforcement, and Liability

RCRI uses a self-assessment approach to assure compliance with this Privacy Policy and periodically verifies that this Privacy Policy is accurate and comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Privacy Shield Principles. Any employee of RCRI found to have acted in violation of this Privacy Shield Policy will be subject to disciplinary action up to and including termination of employment. In compliance with the EU-US Privacy Shield Principles, RCRI commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact RCRI at: RCRI, Inc. 5353 Wayzata Boulevard, Suite 505 Minneapolis, MN 55416 Phone: 952-746-8080 Email:

RCRI has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield to the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by RCRI, please visit the BBB EU PRIVACY SHIELD web site at for more information and to file a complaint. If a complaint cannot be resolved through these or other channels, under limited conditions, EU individuals may invoke binding arbitration before a Privacy Shield Panel of the U.S. Department of Commerce and the European Commission. The Federal Trade Commission has enforcement jurisdiction over RCRI’s compliance with the Privacy Shield. Pursuant to the Privacy Shield, RCRI remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.


The restrictions and limitations described in this Privacy Policy shall not apply to the extent a disclosure or other action is reasonably required to respond to a legal or ethical obligation or to the extent a disclosure or other action is permitted or required by an applicable law, rule, or regulation.


This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield Framework. We will post any revised policies on the RCRI website. The U.S. Department of Commerce’s Privacy Shield Website can be found at

Effective February 2019