GDPR Compliance

Our Commitment to GDPR Compliance

At MAESTRO, we are committed to ensuring the highest standards of data protection and privacy for all our users, particularly in relation to the European Union's General Data Protection Regulation (GDPR). As a platform that facilitates clinical research, we understand the critical importance of handling personal data with the utmost care and in full compliance with applicable data protection laws.

Data Protection Principles

In accordance with GDPR requirements, MAESTRO adheres to the following key principles when processing personal data:

• Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner.
• Purpose limitation: We collect data only for specified, explicit, and legitimate purposes.
• Data minimization: We limit data collection to what is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage limitation: We retain data only for as long as necessary for the purposes for which it is processed.
• Integrity and confidentiality: We process data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• Accountability: We take responsibility for demonstrating compliance with these principles.

Legal Basis for Processing

MAESTRO ensures that all processing of personal data is done on one of the following legal bases:

• Consent of the data subject
• Performance of a contract with the data subject
• Compliance with a legal obligation
• Protection of vital interests of the data subject or another person
• Performance of a task carried out in the public interest
• Legitimate interests pursued by MAESTRO or a third party

Special Categories of Personal Data

As a clinical research platform, MAESTRO may process special categories of personal data, including health data. We ensure that such processing is carried out in accordance with Article 9 of the GDPR, which requires additional conditions to be met, such as explicit consent or processing for medical diagnosis, the provision of health or social care, or scientific research purposes.

Data Subject Rights

MAESTRO respects and facilitates the rights of individuals under the GDPR, including:

• Right to be informed: We provide clear and transparent information about how we process personal data.
• Right of access: Data subjects can obtain confirmation as to whether their personal data is being processed and access to their personal data.
• Right to rectification: Data subjects can have inaccurate personal data rectified or incomplete data completed.
• Right to erasure (right to be forgotten): Data subjects can request the deletion of their personal data under certain circumstances.
• Right to restrict processing: Data subjects can request the restriction of processing of their personal data under certain circumstances.
• Right to data portability: Data subjects can receive their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.
• Right to object: Data subjects can object to the processing of their personal data under certain circumstances.
• Rights related to automated decision-making and profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Data Protection by Design and Default

MAESTRO implements appropriate technical and organizational measures to ensure data protection by design and by default. This includes:

• Pseudonymization and encryption of personal data
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures to restore the availability and access to personal data in the event of a physical or technical incident
• Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures

Data Protection Impact Assessments

MAESTRO conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, particularly when using new technologies or when processing sensitive data on a large scale.

International Data Transfers

MAESTRO ensures that any transfer of personal data to a third country or international organization is subject to appropriate safeguards, such as:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Other appropriate safeguards as provided for in the GDPR

Data Breach Notification

MAESTRO has procedures in place to detect, report, and investigate personal data breaches. In the event of a breach that is likely to result in a risk to the rights and freedoms of natural persons, MAESTRO will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, MAESTRO will also communicate the breach to the affected data subjects without undue delay.

Data Protection Officer

MAESTRO has appointed a Data Protection Officer (DPO) who is responsible for monitoring compliance with the GDPR and other data protection laws, providing advice on data protection matters, and cooperating with supervisory authorities. The DPO can be contacted at [email protected].

GDPR Training and Awareness

MAESTRO provides regular training to its staff on data protection principles, procedures, and best practices. We ensure that all staff members are aware of their responsibilities under the GDPR and other applicable data protection laws.

Vendor Management

MAESTRO conducts due diligence on all third-party service providers who process personal data on our behalf to ensure they have appropriate technical and organizational measures in place to protect personal data. We enter into data processing agreements with these providers that comply with the requirements of the GDPR.

Documentation and Record-Keeping

MAESTRO maintains records of processing activities as required by Article 30 of the GDPR. These records include information about the purposes of processing, categories of data subjects and personal data, recipients of personal data, transfers to third countries or international organizations, time limits for erasure, and a general description of technical and organizational security measures.

Compliance Monitoring and Review

MAESTRO regularly monitors and reviews our compliance with the GDPR and other applicable data protection laws. We update our policies, procedures, and practices as necessary to ensure ongoing compliance.

Specific Measures for Clinical Research Data

Given the nature of clinical research, MAESTRO implements specific measures to protect the privacy and rights of clinical trial participants, including:

• Implementing appropriate pseudonymization and anonymization techniques
• Ensuring that informed consent processes comply with GDPR requirements
• Facilitating the exercise of data subject rights in the context of clinical research
• Implementing specific security measures for health data and other special categories of personal data
• Ensuring compliance with the GDPR's provisions on scientific research

Contact Us

If you have any questions or concerns about our GDPR compliance or how we handle personal data, please contact our Data Protection Officer at [email protected] or write to us at:

MAESTRO, RAN BIOLINKS CANADA LTD
10212 Yonge Street, 202, Richmond Hill, Ontario, Canada, L4C 3B6