This policy is effective as of April 7, 2020
Pregistry was created on the beliefs that:
• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from 25 May 2018, having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other considerations, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).
• The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
• The California Consumer Privacy Act 2018 (CCPA), assembly Bill of the State of California, United States of America, No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the Governor on 28 June 2018. Filed with the Secretary of State on 28 June 2018 and enforceable since 01 January 2020.
• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
The primary goal of Processing Personal Data is to allow Pregistry the identification of those natural persons who have joined Pregistry’s Studies (as Participants) on their own free will and initiative.
Notwithstanding the herein above mentioned, study participants may decide to use an alias, meaning not submitting real Personal Data. Pregistry points out that, depending on which Personal Data the Participant choses to use an alias, there may be an impact on the accuracy of the “Study” results; as an example, whereas registering under a different name than the one pertaining to the Participant is innocuous in terms of impact in the Study, not disclosing the correct date of last menstrual period or gestational age may negatively impact the Study findings.
Pregistry (the organization and its staff members) is aware that Personal Data/ Health Information may represent a risk towards you if accessed by unauthorized third parties. That is a set of Policies, Operational Processes, and mechanisms (technological and human-based) have been developed, ensuring that the Personal Data entrusted by you to Pregistry will be maintained, handled, and shared in a manner that warrants its security, accuracy, confidentiality, and privacy, hence assuring your Personal Data Protection.
Every data subject maintains full control over their personal data (and, where applicable, their offspring’s), as well as the personal data processing activities undertaken by Pregistry (as defined under applicable personal data Protection Legislation or specifically the GDPR, where its ruling is more protective of the data subject’s Rights).
The Data Controller
Pregistry is a United States-based company that conducts epidemiological studies on a variety of topics, including the safety of COVID-19 vaccines and therapeutics on pregnant women and their offspring. Currently, Pregistry is conducting three studies: • International Registry of Coronavirus Exposure in Pregnancy (IRCEP) (NCT04366986, EUPAS37360). The objective of this study is to assess the effect of COVID-19 during pregnancy on obstetric, perinatal, and postnatal outcomes. • COVID-19 Vaccines International Pregnancy Exposure Registry (C-VIPER) (NCT04705116, EUPAS39096). The objective of this study is to assess the effect of COVID-19 vaccination during pregnancy on obstetric, perinatal, and postnatal outcomes. • COVID-19 International Drug Pregnancy Registry (COVID-PR). The objective of this study is to assess the effect of specific newly developed COVID-19 medications during pregnancy on obstetric, perinatal, and postnatal outcomes. Participants may enroll in one or more studies simultaneously. Pharmaceutical companies which hold the marketing authorization of either COVID-19 vaccines or therapeutics indicated for COVID-19 may act as study sponsors; however, even in those cases, personal data pertaining to participants is never shared by Pregistry with those entities. All questions or requests regarding the processing of the personal data under Pregistry’s control or processing may be addressed to firstname.lastname@example.org.
Pregistry’s Data Protection Officer (DPO) contact information:
Mr. Rui Serrano Country: Portugal Email: email@example.com
Pregistry Core Activity – Service Catalogue and Legal Basis
Pregistry service consists of allowing pregnant women to enroll in its studies and to provide information and support to those participants. Under this scope, Pregistry’s Service Catalogue includes the following services and applicable “Legal Basis” for processing Personal Data (respectively):
Study Participant Enrollment
Screening questions are posed to those natural persons who wish to become Participants to qualify them as valid contributors or not. A form is then made available for those natural persons to input their data. The Data Subject provides a name, phone number and creates a user login (username [email] and a password) and then Pregistry sends a One Time Password (OTP) consisting of a 6-digit code that they need to enter in order to continue to read and understand the Consent Form. Registered users are then re-directed to the “Profile” stage where they are asked to enter information related to the specific study. Required Personal Data consists of: • Name • Email 1 • Email 2 (Optional) • Enrolment ID • Age • Preferred Language • Time Zone • GUID • Phone number • Phone number 2 (Optional) • Source • IP Address • Consent • Consent name • Login (password) • Organization • Geolocation • Region • Country • City • Postal Code • Medical History (Optional) • Race/Ethnicity • Call recordings
Reporting Adverse Events
Study participants may at will report adverse events they have experienced (which may or not be causally related to a COVID-19 vaccine or therapeutic indicated for COVID-19), as this is one of the main goals of the studies conducted by Pregistry. The study participant may report adverse events in scheduled questionnaire modules or, at any time, using a button on the study website for logged in participants. Similarly, Participants may upload their redacted medical records (and those of their offspring), as medical records are used to improve the accuracy and validity of the information.
Sending out newsletters to those natural persons who have shown interest in receiving them (regardless of participation status in a study).
Processing (Treatment) over Personal Data
Pregistry is a digital company and most of the data and information it requires to operate is exclusively maintained in digital format on its IT systems hosted at Amazon Web Services data centers in the United States. Data in transit and at rest are encrypted. This guarantees its security and confidentiality. participants are informed of the data hosting in the United States and they provide explicit consent to the processing of their Personal Data/ Health Information. Therefore, they are fully aware and consenting to the transfer and hosting of such data/ information in the United States.
Pregistry only shares fully anonymized data. Pregistry never shares any identifiers that constitute personal data..
In addition to the interaction over the platform or by email, designated Pregistry staff may speak with you both over the phone or video call using the software Twillio. Due to operational reasons, the phone and video calls are recorded and stored by Pregistry, unless you expressly refuse the recording at the beginning of the call. Twillio will save the call while fully encrypted and it shall be transferred within 24 hours to Pregistry’s repositories (also encrypted) and then erased from Twillio. Pregistry hosts data in the United States. Therefore, you hereby consent to such hosting. You should refrain from sharing any personal data that either does not pertain to you or to your child or that is irrelevant to the study when speaking to Pregistry staff over the phone or video call.
Pregistry takes every reasonable step to ensure that Personal Data under its direct processing activities (as the Controller) is limited to the amount and type that is necessary to the successful execution of the Studies.
Personal Data Security, Privacy, and Confidentiality Assurance
Pregistry’s IT landscape is configured and monitored under guidance provided by the strictest security market standards (e.g., ISO 27000 family, Soc2, ITIL, Privacy by Design) and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under applicable Personal Data Protection Legislation towards the Protection of Personal Data/ Personal Information/ Health Information. This is intended to assure confidentiality and privacy while under Personal Data Processing Activities performed by itself and its partners within the scope of Pregistry rendered services.
Personal Data Retention
Data retention is a major potential risk generator since, during the period the data is available, it may be accessed by a third party, constituting a personal data breach. Pregistry fixes the data retention period according the duration of each study. Pregistry does not hold to personal data for longer than necessary. Additionally, Pregistry ensures that the risk of information being deleted prior to the end of its lifecycle is minimized. Study participant personal data is erased within one month (30 days) after leaving the study or one month (30 days) after having asked for their personal data to be erased.
Data Subjects Rights
If you have any questions or complaints about this Policy, please contact us at firstname.lastname@example.org.