Clinical Studies - Privacy Policy
Endowave Ltd. is a company based in Ireland which has developed a medical device for the ablation of lung cancer nodules. We carry out research in Europe, the UK and Switzerland to test our device and improve its design with the overall aim of achieving marketing authorisation for the device. This Privacy Notice (the “Notice”) aims to provide participants in this research with an overview of the measures we take to protect your privacy.
Endowave is committed to complying with the data protection laws of the countries in which we sponsor clinical research. This Notice applies to participants in research conducted by or on behalf of Endowave both within and outside the European Union (EU).
Our research
The research conducted by Endowave involves participants with lung cancer and covers clinical trials (also known as studies) in which participants are treated with the Endowave FlexAblateTM system. Your participation in our research is entirely voluntary and before you take part, you will be asked to sign a detailed consent form.
This Notice provides information about the ways in which your personal data is “processed” (collected, stored and used). As Endowave is based in the EU, it is required to process personal data about you in a manner compliant with the General Data Protection Regulation (“GDPR”) even if you are based outside the EU. This Notice describes how Endowave uses personal data or special category data received either directly from you, or from third parties, in connection with Endowave research.
What is personal data?
Personal data means data relating to a person who is or can be identified either from the data itself or from that data in conjunction with other information in the possession, or likely to come into the possession, of the data controller. Special category personal data includes details like racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation.
What is Endowave’s role?
For the purposes of this Notice, Endowave acts as a data controller under the GDPR for the personal data it processes. This means that Endowave determines the purposes and the means of processing of that personal data. Endowave has designed the data collection process so that we do not have direct access to your identifiable personal data, meaning that we are unable to directly identify study participants.
Your personal data is collected by the study site (the doctor, clinic, hospital, or other healthcare facility where the study or other research is being conducted).
In order to protect your privacy, the information of every study participant is key-coded (or “pseudonymized”) at the study site before it is sent to or received by Endowave. This means that identifying information like your name and contact information are replaced with a participant identification number and Endowave will not have access to the ‘key’ which allows you to be re-identified. This is stored securely at the study site and is never shared with Endowave.
There may be other organizations that control the processing of your personal data in conjunction with Endowave. Your doctor or a member of the study team will provide further details about the other data controllers that jointly or independently determine the purposes for which your personal data is processed, and the means by which this is done.
How is your personal data collected?
Your information is collected in a number of ways. You may provide it to a study site when you complete a pre-screening questionnaire, participant profile form or quality of life survey. When you participate in a study, information will be gathered by the staff carrying out the study. Some of this information is then conveyed to Endowave by the study site as outlined below.
What is the legal basis for processing your data?
Before, during, and after each study, Endowave will process your personal data, including special category data such as your health data or ethnicity, for various purposes. Once you agree to participate in a study, Endowave will only process your personal data if it has a valid legal basis for doing so. These are described in the table at the end of this document. Health data is considered sensitive personal data and special rules apply to processing it.
When Endowave processes such data, it does so for:
- reasons of public interest in the area of public health (GDPR Article 9(2)(i)) and
- for scientific and research purposes (GDPR Article 9(2)(j)).
The data enables Endowave to conduct a clinical study and shows that their medical device is safe and effective. Explicit consent is obtained for this processing in accordance with Art 6(1)(a) and Art 9(2)(a).
How is your personal data used?
Endowave processes your personal data to support our research, improve device design, comply with our legal and regulatory obligations, obtain regulatory approvals and obtain market authorisation for our device. It may also be used for training and promotional purposes with your specific consent. After completion of the study, Endowave may use your personal data for the purpose of informing further research and to publish the results of the study.
The specific purpose and legal bases on which Endowave processes your personal data, including your health data, may vary somewhat between locations in order to comply with the requirements of applicable local laws in jurisdictions where we sponsor research. Full details will be given to you in the Patient Informed Consent Form related specifically to the research project you are participating in. If there is any conflict between any information in this Notice and any information in the Patient Informed Consent Form you signed, you should rely on the Patient Informed Consent Form.
For how long does Endowave retain your data?
Endowave will keep your personal data until the purposes listed in this Notice are fulfilled, or for as long as required by applicable law. Our current policy is to archive such data for a minimum period of 10 years after completion of the relevant study, but longer periods may apply depending on the jurisdiction in which the study is carried out. This applies even when your consent to participate in the study is withdrawn, in order to keep a safety record for our medical device.
Who does Endowave share your data with?
Endowave will share your coded personal data with service providers and consultants who process personal data on our behalf and who agree to use your personal data to assist us in our research and business activities or as required by applicable law. It may also be necessary to share your data with government / public authorities (including regulatory authorities). This is necessary for the purpose of obtaining regulatory approvals for the use of the investigational device in clinical practice, for regulatory audits and for the supervision and conduct of the relevant study.
Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, and public / government agencies and regulators who may be located in other countries, including countries outside the EU.
Therefore, your personal data may be processed outside your jurisdiction and in countries not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction.
Endowave takes steps to ensure that the recipient of your personal data offers an adequate level of protection, for instance, by sharing only coded data and entering into appropriate data protection and confidentiality agreements or the European Commission-approved standard contractual data protection clauses. These contracts ensure the same levels of personal data protection that would apply under the GDPR.
Other disclosure of your personal data
Endowave may also disclose your personal data:
- to comply with a court order or a request from a regulatory or other public body;
- where disclosure is required by law, such as to assist in the prevention, detection, or prosecution of serious crime;
- where necessary to make or defend a legal claim;
- Endowave will not sell your data; however, if in the future, Endowave sells or transfers part or all of our business, shares or assets to a third party, your personal data may be disclosed to that third party in order to continue the business.
- To physicians under contract with Endowave to help carry out the clinical study, who are based in the EU, UK, US or China.
If you want to receive a list of the current recipients of your personal data, please contact Endowave at dataprivacy@Endowave.com.
How does Endowave keep your data secure and confidential?
Strict rules apply to our use of personal data and Endowave has a duty to ensure it is stored safely and securely. Your data may be stored in electronic and/or paper records. Endowave has technical, administrative, and physical measures in place that are designed to protect your personal data from being accessed, disclosed, altered, or destroyed by unauthorized people.
Security measures include computer passwords, audit trails, as well as pseudonymisation. All our records have restricted access controls so that only those who have a need to know the information can get access.
Your Rights
You have the following rights in relation to your personal data:
- The right to be informed about the collection and use of your data. This Notice aims to provide you with this information in a clear and accessible way.
- The right to request access to your personal data (this is called a Subject Access Request).
- The right to update or correct your personal data if any of the personal data held by us is inaccurate or incomplete.
- You may also have the right to ask that Endowave limits processing of your personal data, as well as the right to object to processing of your personal data or its erasure in certain circumstances. This right may be limited or not apply when your personal data is being used for research purposes.
Because the data Endowave receives is pseudonymised, Endowave cannot identify individual study participants. If you require access to your data, you should contact the study site directly.
Contact information for your study site is included in the Patient Informed Consent Form you complete before starting the study.
You may also have the right to lodge a complaint with a data protection regulator in your jurisdiction. If HIPAA applies to you, you have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services.
What happens if I withdraw from the study?
If you stop participating in the study, Endowave will stop collecting data from you immediately. However, the data collected prior to your withdrawal may continue to be processed to complete the study, for example to allow Endowave to analyse and validate the research results and to continue with the research. The legal bases on which Endowave relies to process your data in these circumstances are our legitimate interest in carrying out the study and the necessity of processing for scientific research purposes (GDPR Article 6(1)(f), 9(2)(j)) or where processing is necessary in the public interest (Article 9(2)(i)).
Contact Us
If you have any questions about this Notice or our processing of your personal data, please contact our Data Protection Lead at: email dataprivacy@endowave.ie
Purposes of processing | Personal data processed | Legal basis for processing under GDPR |
Identify and enrol participants in clinical study | Review and collection of personal data in pseudonymized form only from study participants e.g. health records, diagnostic test results, age, gender, race/ ethnicity. | Art 6(1)(a) – Consent Art 9(2)(a) – Explicit Consent |
Document participant consent for clinical trials | Obtaining and documenting consent for participation and data use | Art 6(1)(a) – Consent Art 9(2)(a) – Explicit Consent |
Gather clinical trial related health data | Recording health data, lab results, and other trial-related information | Art 6(1)(a) – Consent Art 9(2)(a) – Explicit Consent |
Monitor and report safety issues during clinical trials and reporting to regulatory or ethics | Recording health data, lab results, and other trial-related information | Art 6(1)(a) – Consent Art 9(2)(a) – Explicit Consent |
Fulfilling regulatory requirements including submission to ethics and for regulatory approval in and outside of the EU. | All personal data collected as part of the clinical trial including participant information and medical / health data. | As above Article 6(1)(c): compliance with legal obligation(s) to which Endowave is subject Article 9(2)(i): for reasons of public interest in the area of public health |
Conducting further scientific and medical research | All personal data collected as part of the clinical trial including participant information and medical / health data. | Article 6 (1) (f): legitimate interest in conducting clinical trials and obtaining market authorisation for our medical device within and outside the EU Article 9 (2) (j): scientific and research purposes |