Cmed Privacy Shield

Cmed Privacy Shield Certification Notice

Cmed Group Ltd and all its subsidiaries including the US-registered Cmed, Inc (Cmed) abide to the European Union (EU) legislation on the protection of the EU/EEA personal data under the General Data Protection Regulation 2016 / 679, it includes the protection of personal data transferred outside of the EEA/EU. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Under the EU/US Privacy Shield Framework, Cmed is committed to subject all personal data to the Principles set forth in the framework (1. Notice, 2. Choice, 3. Accountability for Onward Transfer, 4. Security, 5. Data Integrity and Purpose Limitation, 6. Access, and 7. Recourse, Enforcement and Liability, and the supplemental principles).

Cmed complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from Switzerland to the United States.

For more information on the Principles, the Privacy Shield and see our certification page, please visit


“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data.

“Sensitive personal data” means personal data concerning heath, genetic and biometric data, race, ethnic origins, trade union membership, sexual orientation, religious or philosophical beliefs and political opinions.

“Personal Data” means any information relating to an identified or identifiable natural person (data subject).

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller. Under the Privacy Shield, Cmed collects, uses, retains personal information from:

  • Vendors, contractors
  • Employees and HR candidates
  • Clients
  • Health Care Professionals (site staff and principal investigators)
  • Patients [Information should be anonymized, key-coded when appropriate]

Cmed is supporting its clients in conducting global clinical trials, in the context Cmed collects personal information that could be transferred to the US, in cases where:

  • Cmed acts as an agent (data processor), for the purpose to provide clinical trial services (monitoring, regulatory, pharmacovigilance, statistic services) to Cmed’s Clients.
  • Cmed acts as a data controller, for the purpose of conducting feasibility and identifying and recruiting investigators for clinical trials.

As an employer, Cmed acts as a data controller and collects personal data for the purpose of managing its human resources and recruitment efforts.

Cmed offers the choice to individuals to opt-out if their information is to be shared with a third party or used for a different purpose than originally stated or later authorized. For Sensitive personal data, the opt-out option should express an affirmative and express consent.

Before transferring personal data to a third party acting as controller, Cmed will ensure that Individuals can opt-out and that a contract is signed requiring that the third party provides the same level of protection.

When a third party is processing personal data on behalf of Cmed, Cmed remains responsible and liable under the EU/US Privacy Shield Framework if the data is processed in a way that is incompatible with the EU/US Privacy Shield Framework except if Cmed can demonstrate its absence of responsibility for the event that caused the damage.

Cmed takes reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration and destruction.

Cmed limits the use of personal data to the purpose for which the information has being collected or later authorized and when Cmed processes information for clients, in accordance with their instructions.

Individuals have a reasonable and proportionate right to access their personal information held by Cmed, as well as correct, amend, and delete information if inaccurate or in violation of the Principle.

In cases where Cmed processes personal data on behalf of clients, requests should be addressed directly to the client (data controller).

Please note that Cmed and Cmed’s clients (pharmaceutical or medical device companies) are not required to apply the principles of Notice, Choice, and Accountability for Onward Transfer and Access in case of reporting product safety and efficacy monitoring to the extent that the adherence of the principles interfere with the compliance of regulatory requirements.

For all inquiries or complaints on personal data and the Privacy Shield, please contact:

Cmed Group Ltd
Data Protection Officer
Ashurst, Broadlands Business Campus
Langhurstwood Road
Horsham, West Sussex, RH12 4QP, United Kingdom
F: +44 (0)1403 755051

Cmed decided to participate to the dispute resolution provided by the EU member states Data Protection Authorities (DPA) If the issues were not resolved to your satisfaction with Cmed, the complaints can be brought to the DPAs.

If previous redress mechanism does not provide full satisfaction and under the conditions provided under the EU/US Privacy Shield Framework, you can invoke binding arbitration through the Privacy Shield (Arbitral) Panel. Under the Privacy Shield, Cmed is subject to the investigation and enforcements of the US Federal Trade Commission.

Cmed will comply with lawful requests from the US authorities (law enforcement and national security) to disclose personal data.