Cmed Privacy Shield

Cmed Privacy Shield Certification Notice

Cmed Group Ltd and all its subsidiaries including the US-registered Cmed Inc. (Cmed) abide to the European Union (EU) legislation on the protection of the EU/EEA personal data under Directive 95/46/EC, it includes the protection of personal data transferred outside of the EEA/EU. To provide adequate protection to transfer of personal data to the United States, the U.S. Department of Commerce and the European Union agreed on the EU/US Privacy Shield Framework. Under the EU/US Privacy Shield Framework, Cmed is committed to subject all personal data to the Principles set forth in the framework (1. Notice, 2. Choice, 3. Accountability for Onward Transfer, 4. Security, 5. Data Integrity and Purpose Limitation, 6. Access, and 7. Recourse, Enforcement and Liability, and the supplemental principles).

For more information on the Principles, the Privacy Shield and see our certification page, please visit


“Controller” means a person or organization which, alone or jointly with others determine the purposes and means of the processing of personal data.

“Sensitive personal data” means personal data concerning heath, race, ethnic origins, trade membership, sexual orientation, religious belief and political opinions.

“Personal Data” are data about an identified or identifiable individual that are within the scope of the Directive.

“Processing” of personal data means any operations or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination and erasure or destruction.

“Processor” means a person or organization that processes personal data on behalf of the Controller.

Under the Privacy Shield, Cmed collects, uses, retains personal information from:

  • Vendors, contractors
  • Employees and HR candidates
  • Clients
  • Health Care Professionals (site staff and principal investigators)
  • Patients [Information should be anonymized, key-coded when appropriate]

Cmed is supporting its clients in conducting global clinical trials, in the context Cmed collects personal information that could be transferred to the US, in cases where:

  • Cmed acts as an agent (data processor), for the purpose to provide clinical trial services (monitoring, regulatory, pharmacovigilance, statistic services) to Cmed’s Clients.
  • Cmed acts as a data controller, for the purpose of conducting feasibility and identifying and recruiting investigators for clinical trials.

As an employer, Cmed acts as a data controller and collects personal data for the purpose of managing its human resources and recruitment efforts.

Cmed offers the choice to individuals to opt-out if there information is to be shared to a third party or used for a different purpose than originally stated or later authorized. For Sensitive personal data, the opt-out option should express an affirmative and express consent.

Before transferring personal data to a third party acting as controller, Cmed will ensure that Individuals can opt-out and that a contract is signed requiring that the third party will provide the same level of protection.

When a third party is processing personal data on behalf of Cmed, Cmed remains responsible and liable under the EU/US Privacy Shield Framework if the data is processed in a way that is incompatible with the EU/US Privacy Shield Framework except if Cmed can demonstrate its absence of responsibility for the event that caused the damage.

Cmed takes reasonable and appropriate measures to protect personal data from loss, misuse, and un-authorized access, disclosure, alteration and destruction.

Cmed limits the use of personal data to the purpose for which the information has being collected or later authorized and when Cmed process information for clients, in accordance with their instructions.

Individuals have a reasonable and proportionate right to access their personal information held by Cmed, as well as correct, amend, and delete information if inaccurate or in violation of the Principle.

In cases where Cmed processes personal data on behalf of clients, requests should be addressed directly to the client (data controller).

Please note that Cmed and Cmed’s clients (pharmaceutical or medical device companies) are not required to apply the principles of Notice, Choice, and Accountability for Onward Transfer and Access in case of reporting product safety and efficacy monitoring to the extent that the adherence of the principles interfere with the compliance of regulatory requirements.

For all inquiries or complaints on personal data and the Privacy Shield, please contact:

  • Cmed Group ltd
  • Data Protection Officer
  • Holmwood, Broadlands Business Campus
  • Langhurstwood Road
  • Horsham, West Sussex, RH12 4QP, United Kingdom
  • F: +44 (0)1403 755051

Cmed decided to participate to the dispute resolution provided by the EU member states Data Protection Authorities (DPA) []. If the issues was not resolved to your satisfaction with Cmed, the complaints can brought to the DPAs.

If previous redress mechanism does not provide full satisfaction and under the conditions provided under the EU/US Privacy Shield Framework, you can invoke binding arbitration though the Privacy Shield (Arbitral) Panel. Under the Privacy Shield, Cmed is subject to the investigation and enforcements of the US Federal Trade Commission.

Cmed will comply with lawful requests from US authorities (law enforcement and national security) to disclose personal data.