Legal notices and information regarding personal data protection — QCMVigilance® Digital portal

PREAMBLE

These General Terms and Conditions of Use (hereinafter the ‘GTCU’) set out the rules for accessing and using the QCMVigilance® Digital Portal (hereinafter the “Portal”), made available to professional clients by CLINREAL ONLINE (hereinafter «Clinreal ‘or ’the Publisher») for the management of regulatory vigilance activities.

Use of the Portal by the user (hereinafter ‘the User’) — whether an employee of a client laboratory or, to a limited extent, a declarant accessing a form— implies unconditional and unreserved acceptance of all these Terms of Use. These terms and conditions may be modified at any time by Clinreal to consider changes in services, regulations or security measures. The version in force is the one published on the Portal on the date of consultation. Users who refuse to adhere to these terms and conditions must immediately cease using the Portal’s services.

  1. Identification of stakeholders

Portal publisher

The QCMVigilance® Digital portal is published and made available by:

CLINREAL ONLINE

Private Limited Company with capital of €40,000

66 AV DE L’URSS 31400 TOULOUSE (France)

Registered with the Toulouse Trade and Companies Register under number 482264231

Intra-community VAT number: FR69482264231

Email: contact@clinreal.com

Clinreal provides its professional clients (laboratories/brands/manufacturers) with a digital portal dedicated to the management of regulatory health vigilance activities (cosmetovigilance, medical device vigilance, nutrivigilance).

  • Data controller

For the processing of personal data related to health vigilance cases (reports of adverse effects on cosmetic products and similar products), the data controller is the laboratory/brand/manufacturer (legal responsible for the product) that uses the Digital Platform. Clinreal acts as a processor within the meaning of the regulations on personal data protection.

  • Host

Hosting via Periwinkle, which provides IT outsourcing services for Clinreal, at Titan DC (TAS Cloud Sofia Antipolis server – HDS certification, ISO 27001, data center level (Tier IV)).

2.. Purpose of the portal and objectives

  • Description of the service
  • The QCMVigilance® Digital Portal enables Clients (laboratories/brands/manufacturers) to report and manage cases of adverse effects relating to their products, monitor questionnaires completed by reporters, and consult Clinreal’s analyses and proposed conclusions in real time.
  • The tool is based on a Single Digital Form (FNU) completed on the BRAND Digital Platform/Client Laboratory and enhanced by processing carried out by Clinreal (pre-analysis, possible investigation, final analysis, accountability).
  • Purposes of processing
  • Vigilance management: collection, recording, analysis, documentation, monitoring, transmission to authorities (ANSM, EMA/Eudravigilance, where applicable), and management of the relationship with the declarant/purchaser of the product.
  • Traceability of reports and compliance with regulatory obligations in terms of vigilance.
  1. Processed data and data subjects
  • Categories of persons concerned
  • Reporters of adverse effects: users/customers, patients, association members, healthcare professionals, members of authorities, etc.
  • Users of the client-side portal (laboratory staff /brand/manufacturers).
  • Users of the Clinreal-side portal (language correspondents and approved subcontractors).
  • Data categories
  • Identification details of the reporting person (identity, contact details).
  • Health data related to the adverse reaction (symptoms, relevant medical history, treatment, progression, etc.).
  • Any lifestyle data necessary for analyzing the case.
  • Data relating to the use of the platform (logs, identifiers, action traces, timestamps).
  • Mandatory or optional nature of data
  • Indication of mandatory fields in the form (data necessary for analyzing the case and complying with due diligence obligations).
  • Mention of the consequences of failing to provide information (inability to process the declaration correctly, etc.).
  1. Legal basis and regulatory framework
  • Legal basis
  • For processing carried out by Clients (laboratories/brands/manufacturers): legal obligation and/or public interest mission in terms of vigilance, based on Articles 6(1)(c) or 6(1)(e) and 9(2)(i) of the GDPR, in connection with the Public Health Code.
  • — For technical processing carried out by Clinreal: performance of the subcontracting agreement concluded with the Client (Article 28 of the GDPR), based on the Client’s documented instructions.
  • Regulatory references
  • Regulation (EU) 2016/679 (GDPR).
  • Applicable national legislation on vigilance and cosmetic products.
  1. Roles and responsibilities (Clinreal / Clients)
  •  Data controller for Clients (laboratories/brands/manufacturers)
  • Determines the purposes and means of processing vigilance data concerning its own products.
  • Informs the persons concerned, in particular via its documentation, media, website or privacy policy.
  • Subcontractor (Clinreal)
  • Processes data only on the documented instructions of the Client.
  • Provides the QCMVigilance® Digital tool, performs preliminary analysis, surveys on the phone, if necessary, final analysis and accountability, and reports the results to Clients in real time.
  • Undertakes, along with its declared subcontractors, to comply with the security, confidentiality, assistance and notification obligations set out in the subcontracting agreement.
  1. Recipients, transfers and storage
  • Recipients of the data
  • Authorized personnel of Clients (laboratories/brands/manufacturers).
  • Clinreal team with strict authorization (vigilance/quality/IT teams, as required).
  • Competent authorities (ANSM, EMA/Eudravigilance, national authorities) when required by regulations.
  • Transfers outside the EU
  • The data is not intended to be transferred outside the European Economic Area. If a transfer were to be considered (for example, to a global vigilance database), it would be subject to appropriate safeguards in accordance with the GDPR.
  • Data retention periods
  • Data relating to vigilance files is retained by Clinreal, as a subcontractor, on behalf of its Clients, for an indicative period of twelve (12) rolling months from the date of closure of the file, unless a longer retention period is required by the regulations applicable to the Client or provided for in the contract.
  • When the return of data to the Client cannot be fully completed (particularly in the event of non-validation of the transfer or non-finalized recovery certificate), or in the event of technical constraints, application upgrades, maintenance operations or incidents affecting the information system, Clinreal is authorized to extend the retention of data beyond the reference period, for a limited period strictly necessary for data security, service continuity and compliance with regulatory requirements.
  • Data retained beyond the reference period remains subject to the same security, confidentiality and access control requirements, in accordance with applicable contractual and regulatory commitments.
  • Connection and traceability logs are retained for a period proportionate to the purposes of security, audit and regulatory compliance.
  1. Security and confidentiality
  • Application security and access
  • Access management through unique authorization profiles, annual review of rights, administrator accounts subject to formalized exemptions.
  • Logging of user actions to detect fraudulent access.
  • Enhanced authentication for critical access.
  • Data security and hosting
  • Hosting on HDS and ISO 27001 certified sites, Tier IV data centers
  • Encryption of data in transit and at rest; encrypted (AES 256) and redundant backups; daily backups.
  • Cybersecurity and governance
  • Existence of a Security Assurance Plan (SAP) with the IT service provider.
  • Secure workstations (encryption, antivirus, updates).
  • Use of encryption tools for external exchanges.
  • Regular security audits in accordance with ANSSI hygiene rules or equivalent standards.
  1. Rights of data subjects

Data collected as part of health surveillance is processed in accordance with the GDPR, the French Data Protection Act and its amendments, and the CNIL RS-001 – Health Surveillance guidelines. You have the right to access, rectify and restrict the processing of your data by contacting Clinreal by post or email: dpo@clinreal.com

  1. Terms and conditions of use of the portal
  • Target audience
  • Portal reserved for Clients (laboratories/brands/manufacturers) and their users, as well as authorized Clinreal users and partners, for the purposes of vigilance management.
  • The final declarant only accesses the questionnaire sent by the Client via a secure link to complete the information relating to their adverse reaction.
  • Rules of use
  • Prohibition on using the portal for illegal content, data unrelated to vigilance, or misuse.
  • Obligation for users to keep their usernames and passwords confidential
  1. responsibility
  • The Client, in its capacity as data controller, is solely responsible for:
  • the lawfulness of the processing carried out via the portal
  • the quality, accuracy, relevance and completeness of the data it enters or has entered,
  • compliance with the legal and regulatory obligations applicable to its vigilance activities and products.
  • Clinreal, acting as a data processor, undertakes to implement the appropriate technical and organizational measures to guarantee a level of security appropriate to the risks, particularly in terms of confidentiality, integrity, traceability and availability of data and the QCMVigilance® Digital portal.
  • Clinreal cannot be held liable for:
  • temporary unavailability due to maintenance operations
  • malfunctions attributable to third parties or the Customer’s environment
  • or interruptions resulting from force majeure or events beyond its reasonable control
  1. Changes to the terms and conditions

These terms and conditions may be modified at any time to reflect changes to the Services, regulations or security measures put in place. The version in force is the one published on the QCMVigilance® Digital Portal on the date of consultation.