Who we are
Website address is: https://artha-research.com
Background and motivation for ther general data protection law
In 2018, Brazil became part of the countries that have a specific legislation for data protection and privacy of its citizens, through the publication of the General Data Protection Law (GDPL – Law No. 13.709/2018).
Other regulations similar to the GDPL in Brazil are the General Data Protection Regulation (GDPR) in the European Union, which became mandatory on May 25, 2018 and applies to all countries in the European Union and the California Consumer Privacy Act of 2018 (CCPA) applicable in the United States of America.
The need for the creation of a specific law started from Facebook privacy scandals, where a specific company allegedly used Facebook users’ data to run a more assertive and customized political campaign in the 2016 U.S. presidential election.
From then on, data security and privacy became recurrent political agendas in order to create legislation that, until then, did not exist in the country, with the specific purpose of defending users’ data and defining responsibilities regarding their processing.
The legislation is based on several values, such as respect for privacy; for informative self-determination; for freedom of speech, information, communication, and opinion; for the inviolability of privacy, honor, and image; for economic and technological development and innovation; for laissez-faire, free competition and consumer protection, and for the human rights to freedom and dignity.
The GDPR creates a set of new legal concepts (e.g. “personal data”, “sensitive personal data”), sets out the conditions under which personal data can be processed, defines a set of rights for data holders, creates specific obligations for data controllers, and creates a series of procedures and standards for greater care in processing personal data and sharing it with third parties.
The law applies to all information relating to an identified or identifiable natural person and to data concerning racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical or political nature, data concerning health or sexual life, genetic or biometric data, when linked to a natural person.
This Law mentions the processing of personal data, in physical or digital form, by individuals or legal entities of public or private law, and encompasses a wide range of processes.
▪ Principle of good faith
▪ Principle of purpose
▪ Principle of adequacy
▪ Principle of necessity
▪ Principle of free access
▪ Principle of data quality
▪ Principle of transparency
▪ Principle of safety
▪ Principle of Prevention
▪ Principle of non-discrimination
▪ Principle of responsibility and accountability
Personal data: information related to an identified or identifiable natural person. This is information from living natural persons that directly or indirectly identifies an individual.
✓ The direct information is the one that allows the immediate individualization of the person–
example: when making an online purchase, a customer informs their full name and CPF; with this information, the online store can identify the individual who made the purchase.
✓ Indirect information is that which, through the gathering of information, may lead to the identification of the subject – example: a company did not record the full name or CPF of a client; thus, in principle, this company would have no way of identifying that person. However, using other information in their possession, it is possible to discover a person’s identity, such as their profession, address, gender, or any other data that helps to identify them.
▪ Sensitive personal data: personal data regarding racial or ethnic origin, religious conviction, political opinion, membership in a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person;
▪ Anonymized data: data relating to the holder that cannot be identified, considering the use of reasonable technical means available at the time of its processing.
▪ Database: a structured collection of personal data, established in one or several locations, in electronic or physical media;
▪ Holder: the natural person to whom the personal data being processed refers to;
▪ Controller: a natural or legal person, governed by public or private law, who is responsible for decisions concerning the processing of personal data;
▪ Operator: a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;
▪ Officer: a person appointed by the controller and operator to act as a communication channel between the controller, the data holders and the National Data Protection Authority;
▪ Processing agents: the controller and the operator;
▪ Processing: any operation performed with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, assessment or control of information, modification, communication, transfer, diffusion or extraction;
▪ Anonymization: use of reasonable technical means available at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual.
▪ Consent: free, informed, and unambiguous expression by which the holder agrees to the processing of their personal data for a specific purpose;
▪ Blocking: temporary suspension of any processing operation while keeping the personal data or the database;
▪ Deletion: deletion of data stored in a database, regardless of the procedure used;▪ International data transfer: transfer of personal data to a foreign country or international body of which
the country is a member;
▪ Shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of personal data banks by public bodies and entities in the fulfillment of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities allowed by these public entities, or between private entities;
▪ Personal data protection impact report: documentation from the controller containing a description of the personal data processing processes that may create risks to civil liberties and fundamental rights, as well as risk mitigation measures, safeguards, and mechanisms;
▪ Research organization: body or entity of the direct or indirect public administration, or private non-profit legal entity legally constituted under the Brazilian laws, with headquarters and jurisdiction in the country, which includes, in its institutional mission or social or statutory purpose, basic or applied research of historical, scientific, technological or statistical nature; and
▪ National authority: the public administration body responsible for ensuring, implementing, and enforcing compliance with this Law throughout the national territory.
DATA PROTECTION ACTORS
Under the GDPR, the processing of personal data can be carried out by two “processing agents”: the Controller and the Operator.
ARTHA RESEARCH acts as controller and operator at the same time.
There are also the Data Holder and the Officer, as shown below.
PROCESSING OF PERSONAL DATA
As mentioned above, Data Processing involves any operation performed with personal data, such as those relating to its collection, production, reception, classification, use, access, reproduction, transmission,
distribution, processing, archiving, storage, deletion, assessment or control of information, modification, communication, transfer, diffusion or extraction.
Within the Cosmetics Clinical Research scenario, data processing occurs for the purposes below:
▪ Collecting data for emergency situations where it is necessary to contact people designated as “emergency contacts” by Research Participants;
▪ Collecting data, after explicit consent of the Participants, to register the Participants in the ARTHA RESEARCH Database, enabling them to be contacted for participation in new Clinical Trials;
▪ Collecting your data, after your explicit consent in this Term, in order to register you in our Database, so that you can be contacted to participate in new Clinical Trials;
▪ Collecting your data, after your explicit consent in the Informed Consent Form specific to each Clinical Trial, to verify that you meet the requirements requested by the Study Sponsor, such as age, sex, skin type, hair, any specific health condition, cosmetic product use habits, etc.;
▪ Collecting your data for exceptional situations, where it is necessary to contact persons designated by you as “contacts for emergencies and messages”;
▪ Conducting the Clinical Research, with the collection of your data, necessary to defend a hypothesis related to the safety and acceptability of cosmetic products, as described in the respective Research Protocols;
▪ Handling your data to analyze the necessary intervals between different Clinical Trials, for your safety, preventing you from participating in Studies without respecting the washout period;
▪ Collecting your photos, in order to allow comparison and evolutionary analysis of a dermatological aspect, at different time intervals in the same Clinical Trial;
▪ Collecting and processing your data in a form compiled with the other Clinical Trial Participants, for the purposes of statistical analysis, demographic analysis, etc.;
▪ Collecting your basic financial data, such as a Pix key, in order to enable your reimbursement after voluntary participation in the Clinical Trials;
▪ Collecting your data to fulfill legal obligations (accounting, tax obligations, etc.).
DATA RETENTION PERIOD
As mentioned above, some data is collected in the Registration Phase and some is collected specifically for each Clinical Trial. The data retention period will vary as below:
▪ Data Collected in the Registration Phase – This data will be kept for an unlimited time, provided that the Participant agrees and gives their consent in the phases mentioned in item 7 above (Registration Phase + Renewal every 3 years).
Furthermore, the participant will be informed in all Clinical Researches that they can, at any time, request the deletion of their data from the database of ARTHA RESEARCH.
▪ Data Collected in Clinical Trials – This data will be maintained for a minimum time period of 5 years, and may vary depending on the Trial Sponsor. Participants will be informed of this time period in the clinical trial–specific Informed Consent Form. After this period of time, the documents will be destroyed.
WAYS OF MASKING PARTICIPANT DATA
As previously mentioned, all personal data collected is mandatorily anonymized to avoid identifying the Research Participants. This anonymization occurs before the data is shared with Sponsors or other stakeholders.
PERSONAL DATA OF EMPLOYEES, SUPPLIERS AND CUSTOMERS
The process of managing and protecting personal data does not apply only to Research Participants, although they represent the largest volume of ARTHA RESEARCH. The data of employees, suppliers, and customers also needs the same security and confidentiality. This data may involve:
▪ First name, Last name and CPF number;
▪ Employment Booklet;
▪ Dependents’ data for benefits management (when applicable);
▪ Marital Status;
▪ Date of birth;
▪ Gender and Age;
▪ Email address;
▪ Phone number;
▪ Emergency contact numbers;
▪ Images / photos;
▪ Bank information for payments;
▪ Clearance Certificates;
▪ Permits and other legal documents from stakeholders, etc.
The consent process for the data processing of these data holders is expressed in the signing of a contract between both parties, including confidentiality clauses.
If there is no contract signed between the parties, the purchase order must include the note:
“Data under management of ARTHA RESEARCH controller and operator – Contact the DPO (dpo@artha–research.com if you wish to delete your data or request further clarification.”
Internally, the management of this data will be the responsibility of the Administrative department, with access controlled and restricted to designated people.
PERSONAL DATA PROTECTION IMPACT ASSESSMENT
This Manual describes all the personal data that will be collected and processed by the controller/operator of ARTHA RESEARCH. The measures adopted to mitigate risks involved with data protection are described in the BCP – Business Continuity Plan, under the responsibility of the Quality area.
In addition, the internal procedure:
PR.TI.EN.001 – IT and Information Security Management describes the requirements applicable to Technology and Information Security, including details on backup, IT infrastructure, periodic simulations for security assessment, among other significant items related to the topic.
CONTACTS IN CASE OF COMPLAINT
In case of complaints, data holders will be directed to contact the Data Protection Officer.
▪ Data Protection Officer (DPO): Barbara Nahum
Address: Rua Buenos Aires, 68 / 34 andar – Centro, Rio de Janeiro.
Phone: (21) 2042-94953
▪ Operator/Controller: ARTHA RESEARCH
Address: Rua Buenos Aires, 68 / 34 andar – Centro, Rio de Janeiro.
Phone: (21) 2042-9495.