CRS

Privacy

Data Protection at CRS

CRS Clinical Research Services Management GmbH (“CRS”) takes the protection of your personal data very seriously. When you use our website, we process your personal data. This policy outlines how we protect your data.

Data Confidentiality and Processing

Your data will be treated confidentially and processed only for the purpose for which it was collected, in accordance with statutory data protection provisions. We comply with the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). We employ technical and organizational measures to protect your data against manipulation, loss, destruction, or unauthorized access. These measures are regularly reviewed
 and adjusted.

Data Controller

The data controller responsible for data processing is:

CRS Clinical Research Services Management GmbH

Friedrich-König-Str. 3-5,

68167 Mannheim,

Email: info.management@crs-group.de

Under the management of Dr. Elisabeth Lackner and Prof. Dr. Thomas Forst.

Data Protection Officer

CRS has appointed a Data Protection Officer, who can be contacted at:

CRS Clinical Research Services Management GmbH


Friedrich-König-Str. 3-5,


D-68167 Mannheim,


Email: datenschutzbeauftragter@crs-group.de

Changes to Data Protection Declaration

We reserve the right to change or adapt this data protection declaration at any time in compliance with applicable data 
protection regulations.

Processing of data when using this website

When you use our website, your browser transmits the following data to our server:

  • IP address of the requesting computer,
  • Date and time of access,
  • Name and URL of the retrieved file,
  • Website from which the access is made (referrer URL)
  • The browser used (user agent string) and, if applicable, the operating system of your computer as well as the name of your access provider.

This data is not merged with other data sources.

This data is kept for 30 days. The log files are deleted at the end of a calendar month and can be evaluated statistically. The evaluation takes place in anonymized form.

This data processing is necessary to ensure the proper functioning of the website and the display of the website on the respective device. The legal basis for this data processing is Art. 6 (1) lit. b) GDPR (preparation for the performance of a contract) and Art. 6 (1) lit. f GDPR (legitimate interest of CRS in the stability and functionality of the website).

Recipients of data

As a matter of principle, we do not pass on your data to third parties. For the hosting and maintenance of our website, we rely on the use of service providers who we oblige to comply with the legal requirements via order processing.

Cookies

Our websites use cookies. Cookies are text files that are stored in or by the internet browser on the user’s computer system. When you visit our website, a cookie may be placed on your operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

The legal basis for this data processing is Art. 6 (1) lit. b GDPR (performance of a contract), Art. 6 (1) lit. a GDPR (your informed consent) and Art. 6 (1) lit. f GDPR (legitimate interest of CRS in the best possible functionality of the website).

We use the following types of cookies:

Strictly Necessary cookies enable basic functions and are necessary for the proper functioning of the website.

NameBorlabs Cookie
ProviderWebsite Owner (Imprint)
PurposeSaves the settings users make in the Borlabs Cookie consent box
Cookie NameBorlabs-cookie
Cookie Runtime365 Days

Functional cookies enable enhanced functionality and personalization by remembering user preferences and settings.

Name
Provider
Purpose
Cookie Name
Cookie Runtime

Performance cookies collect information about how visitors use the website to help improve its functionality and user experience.

Name
Provider
Purpose
Privacy Policy
Host(s)

Targeting cookies enable our advertising partners to create a profile of your interests and display relevant ads on other sites. They do not store personal information directly but uniquely identify your browser and internet device. Disabling these cookies will result in less personalized advertising.

Name
Provider
Purpose
Privacy Policy
Host(s)
Cookie Name
Cookie Runtime

Other cookies enhance website functionality and personalization and can be set by us or third-party providers whose services we’ve integrated into our pages.

Name
Provider
Purpose
Privacy Policy
Host(s)
Cookie Name
Cookie Runtime

Cookies are stored until their specified time or until deleted from your browser. Session cookies are stored until the session expires.

Revocation option

You have the option to delete necessary cookies stored on your device at any time by removing them from your browser settings. Instructions on how to manage cookies can typically be found in the guidance provided by your browser manufacturer. Please note that disabling these cookies may impact your ability to fully utilize all functions of this website.

Cookie consent tool

We utilize a “cookie consent tool” to effectively obtain consent for cookies and cookie-based applications requiring consent. This tool appears as an interactive user window upon visiting our website. By ticking the box, users provide consent for specific cookies and/or cookie-based applications. Consequently, only cookies requiring consent are activated upon user consent. This processing, aimed at storing, assigning, or logging cookie settings, is conducted in compliance with Art. 6 para. 1 lit. f GDPR, reflecting our legitimate interest in maintaining legally compliant, personalized, and user-friendly cookie consent management and website design. Additionally, our processing is supported by Art. 6 para. 1 lit. c GDPR, acknowledging our responsibility to tie the use of technically unnecessary cookies to user consent. To safeguard visitor data, we have established an order processing agreement with our provider, ensuring protection against unauthorized data disclosure to third parties.

Your Rights

You may request confirmation from CRS regarding the processing of personal data related to you. If such processing has occurred, you have the right to obtain further information on the following:

  1. The purposes for which your personal data are processed.
  2. The categories of personal data processed.
  3. The recipients or categories of recipients to whom your personal data have been or will be disclosed.
  4. The expected duration of storage of your personal data, or if specific information is not possible, the criteria used to determine that duration.
  5. Your rights to rectify or erase your personal data, to restrict its processing by the controller, or to object to such processing.
  6. Your right to lodge a complaint with a supervisory authority.
  7. Any available information about the origin of the data, if it was not collected directly from you.
  8. The existence of automated decision-making, including profiling.

You have the right to request information on whether your personal data is transferred to a third country or international organization. In this context, you may request details about the adequate safeguards under Article 46 of the GDPR pertaining to such transfers.

You generally have the right, free of charge, to request the correction or deletion of your personal data, as well as to restrict its processing at CRS. Under certain circumstances, you also have the right to object to further processing of your personal data. In such cases, please contact your BD contact person, the HR department of CRS to which you applied, or the CRS Data Protection Officer at datenschutzbeauftragter@crs-group.de.

Additionally, you have the right to contact the competent supervisory authority. For CRS, this is the State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (email: poststelle@lfdi.bwl.de or via the contact form on the website). You can also contact any other data protection supervisory authority (contact details available at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).

Duration of Storage

The storage period of personal data is determined by the respective legal basis, the purpose of processing, and, where applicable, legal retention periods. Personal data processed based on explicit consent under Article 6(1)(a) GDPR will be retained until consent is revoked. Data subject to statutory retention periods under Article 6(1)(b) GDPR will be deleted after these periods expire, provided it is no longer necessary for contract fulfillment or initiation, and no legitimate interest justifies continued storage. Personal data processed under Article 6(1)(f) GDPR will be stored until you exercise your right to object under Article 21(1) GDPR, unless compelling legitimate grounds override your rights, or the data is needed to establish, exercise, or defend legal claims. Data processed for direct advertising under Article 6(1)(f) GDPR will be stored until you object under Article 21(2) GDPR. Unless stated otherwise in specific processing scenarios, personal data will be deleted when no longer necessary for its original collection or processing purposes.

We collect, process, or use personal data only as necessary for establishing, defining, or modifying legal relationships (inventory data). This processing is based on Article 6(1)(b) and (f) of the EU General Data Protection Regulation (GDPR), as well as Section 40(1) of the Medicinal Products Act (AMG).

CRS collects and stores customer data (company name, contact person, contact details, and communication content) in an electronic file dedicated to customer data management. This data is obtained directly from customers and is utilized to facilitate the preparation and execution of contractual relationships for clinical trials and customer acquisition. Additionally, we gather and process personal data from suppliers (name, contact information, and company evaluations) as part of our supplier qualification process.

Access to the electronic customer data management file is restricted to employees in the Business Development and Marketing departments, as well as Management, ensuring confidentiality and non-disclosure to third parties.

Contractual information and supplier qualification data are primarily intended for internal use by employees in the Business Development, Project Management, and Quality Assurance departments, as well as those responsible for clinical trials. In cases of regulatory inspections or sponsor audits, this information may also be accessed by authorized third parties.

Information stored in the electronic customer data management system and supplier qualification records will be retained for the duration of the company’s existence. Clinical trial agreements are preserved for a minimum of 25 years in compliance with EU Regulation No. 536/2014.

You have the right to request correction or deletion of your personal data free of charge, and to restrict its processing at CRS under certain conditions. Additionally, since May 28, 2018, you have the right to receive the personal data you have provided to CRS in a structured, commonly used, and machine-readable format (Right to Data Portability). To exercise these rights, please contact your Business Development department contact at CRS or the CRS Data Protection Officer. Furthermore, you have the right to lodge a complaint with the relevant supervisory authority.

At CRS, safeguarding your personal data is of utmost importance to us. We ensure that your personal information is handled confidentially and in strict compliance with data protection laws. Our designated Data Protection Officer oversees adherence to these statutory requirements and can be contacted at: datenschutzbeauftragter@crs-group.de.

Responsibility for Data Protection

The entity responsible for data protection (“controller”) is the Management of the CRS location to which you have applied.

Handling of Application Documents

Documents submitted during the application process are stored and managed by our Human Resources (HR) department. This includes personal data such as your name, address, date of application, and desired position, along with internal notes (e.g., document transfer, comments). Access to this information is limited to relevant HR personnel, line managers, and, where applicable, members of the works council and Management. It is not disclosed to third parties.

Retention of Data

Your data is retained for as long as necessary to complete the application process and, if applicable, to finalize an employment contract. In cases where employment is not feasible, your documents will be returned to you. Electronic data is deleted after 6 months, except for data retained in internal application lists, which may be kept for up to 1 year to facilitate future contact regarding potential positions of interest. If you wish to object to this retention period, please inform our HR department.

Employment Relationship

Upon entering into an employment relationship with CRS, we collect and process your data as required to fulfill contractual obligations (e.g., contract drafting, personnel records, payroll).

Data Security

The management of your contracted location assumes responsibility for the secure handling of your personal data. For processing activities that involve higher risks to your rights and freedoms (e.g., handling health data in company reintegration management), detailed process descriptions are available. These can be accessed in the electronic SOP system “BM-Flow” (document type: method description, search by procedure). Detailed information on our processing of employee data is also available on our intranet under “Data Protection” > “Record of Processing Activities” (Verfahrensverzeichnis), outlining the purpose, legal basis, potential recipients, storage duration, and other pertinent details of each processing activity involving employee data.

Email Communication

Please note that all processing activities involving computerized systems, including email accounts and their contents, are accessible to our IT administrators as a standard practice. Therefore, emails containing confidential or personal information must be sent using the Lotus Notes encryption option. It is important to emphasize that encrypted emails cannot be accessed by deputies under any circumstances in the absence of the sender.

Your Rights

You have the right to request the correction or deletion of your personal data free of charge, as well as to restrict its processing under certain conditions. You may also object to further processing of your personal data. For assistance, please contact your HR department contact at CRS or the CRS Data Protection Officer.

Complaints

Additionally, you have the right to file a complaint with the relevant supervisory authority. For CRS Management and its subsidiaries, this authority is the State Commissioner for Data Protection and Freedom of Information in Baden-Wuerttemberg (email: poststelle@lfdi.bwl.de or via the contact form on their website). You may also contact any other data protection supervisory authority.

We utilize Microsoft 365 applications exclusively for business collaboration purposes related to projects, orders, and the fulfillment of contractual obligations. Microsoft 365 applications are strictly used for business purposes.

Note: This privacy notice specifically addresses CRS’s handling of your personal data when utilizing Microsoft 365 applications.

Microsoft 365 applications are provided by Microsoft Corporation. For information regarding Microsoft’s processing practices, please refer to their relevant statement.

Controller

CRS Clinical Research Services Management GmbH is the responsible entity under applicable data protection laws.

Microsoft Cooperation, as our contractual partner, operates Microsoft Office 365 as a processor within the meaning of Article 28 of the GDPR for CRS.

Note: When accessing the “Microsoft Teams” website, data processing is the responsibility of the provider of “Microsoft Teams”. Accessing the website is necessary only to download the software for “Microsoft Teams” usage. If you prefer not to use the “Microsoft Teams” app, you can also access “Microsoft Teams” via your browser through the “Microsoft Teams” website.

Data Processed

When using Microsoft 365 applications, the following personal data is automatically processed:

  • Your IP address
  • Identifiers: Information that identifies you as a user, sender, or recipient within Microsoft 365 applications. This includes name, first name, business contact details such as phone number, email address, business fax number, if provided by you. Additional data, such as a profile picture you may have uploaded, can also be viewed and individually adjusted at any time within your profile, particularly in Outlook.
  • Your access data for Microsoft 365 applications, including data related to two-factor authentication.
  • All user activities within Microsoft 365 applications, such as time, date, type of access, information on accessed files/documents, and all activities related to document creation, modification, and deletion, team creation (including channels within teams), starting chats, and responses within chats.

When using “Microsoft Teams”, different categories of data are processed. The extent of data processed depends on the information provided by you before or during participation in an online meeting.

The following personal data is processed:

  • User details: e.g., display name, email address (if applicable), optional profile picture, preferred language.
  • Meeting metadata: e.g., date, time, meeting ID, phone numbers, location.
  • Text, audio, and video data: If you use the chat function during an online meeting, your text entries are processed to display them within the meeting. Video and audio data from your device’s microphone and camera are processed to enable video display and audio playback during the meeting. You can independently mute or turn off the camera or microphone at any time using the “Microsoft Teams” applications.
Scope of Processing

We utilize “Microsoft Teams” for conducting online meetings. If we intend to record online meetings, we will inform you transparently in advance and, if necessary, seek your consent.

Automated decision-making within the meaning of Article 22 of the GDPR is not employed.

Legal Basis for Data Processing For processing personal data of CRS employees, Section 26 of the German Federal Data Protection Act (BDSG) serves as the legal basis. If personal data unrelated to the establishment, execution, or termination of employment is processed but essential for using “Microsoft Teams”, the legal basis for data processing is Article 6(1)(f) of the GDPR. In such cases, our interest lies in efficiently conducting online meetings.

Additionally, the legal basis for data processing during online meetings is Article 6(1)(b) of the GDPR when meetings are conducted within contractual frameworks. In the absence of a contractual relationship, the legal basis is Article 6(1)(f) of the GDPR, where our interest is again in the effective conduct of online meetings.

Recipients / Disclosure of Data Apart from cases explicitly mentioned in this privacy notice, your personal data will only be disclosed without your express consent if legally permissible or mandated.

Personal data processed during online meetings is generally not disclosed to third parties unless explicitly intended for such purposes. Please note that contents of online meetings, like in-person meetings, may involve sharing information with clients, interested parties, or third parties.

Other recipients: The provider of “Microsoft Teams” necessarily gains access to the above-mentioned data as stipulated in our processing agreement with “Microsoft Teams”.

Data Processing Outside the European Union As a general practice, data processing does not occur outside the European Union (EU), as we limit our data storage locations to EU data centers. However, data may traverse international internet servers outside the EU. This can occur, particularly if online meeting participants are located in a third country. Nevertheless, data is encrypted during transmission over the internet to safeguard against unauthorized access by third parties.

Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at:

CRS Clinical Research Services Management GmbH – Datenschutzbeauftragter – Friedrich-König-Str. 3-5 68167 Mannheim

Email: datenschutzbeauftragter@crs-group.de

Your Rights as a Data Subject

You have the right to access personal data concerning you. You may contact us for information at any time.

For non-written requests for information, we may request proof of your identity.

Furthermore, you have the right to rectification, deletion, or restriction of processing, as legally entitled.

You also have the right to object to processing within the limits of the law.

Under data protection law, you have the right to data portability.

Data Deletion

We generally delete personal data when no longer necessary for continued storage. Specific requirements may dictate retention, such as for contractual service fulfillment, warranty reviews, and any applicable guarantee claims. For statutory retention obligations, deletion occurs only upon expiry of the respective retention period.

Right to Complain to a Supervisory Authority

You have the right to lodge a complaint regarding the processing of personal data by us to a data protection supervisory authority.

Changes to this Privacy Notice

We revise this privacy notice as necessary in response to changes in data processing or other relevant circumstances. The latest version is always available on this website.

As of: March 29, 2022