Data Privacy Policy

1. Foreword

EUCROF is committed to Personal Data Protection. This Data Privacy Policy is addressed to any physical person, hereinafter referred to as "Data Subject", from whom EUCROF is collecting Personal Data, and aims at ensuring full transparency and pedagogy about EUCROF's commitments and practices when processing such Personal Data.

EUCROF is committed to use all collected data in compliance with the General European Regulation 2016/679 of 27 April 2016 on the protection of data, hereinafter referred to as the "Regulation".

This Data Privacy Policy applies to any Data Subject (i.e. EUCROF website visitors and EUCROF members).

2. Definitions

Personal Data: information that can identify a natural person, directly (for example his/her first and last names), or indirectly (for example, his/her phone number or email address, his/her contract number, his/her nickname, an IP address, etc.…).

Processing of Personal Data: an operation or an organised set of operations performed on personal data (collection, structuring, archiving, modification, communication ...);

Data Subject: the person that can be identified through the data used as part of the Processing of Personal Data.

Controller: the organisation deciding how and for what purpose the Processing of Personal Data is implemented, including determining what tools shall be used for such processing.

Processor: a person or legal entity carrying out operations on the data on behalf of the data Controller. The Processor signs a contract with the Controller to carry out certain tasks and is committed to implement the technical and organisational guarantees, allowing him to deal with the Personal Data in accordance with the Regulation.

Recipient: a person or legal entity receiving authorised communication of Personal Data.

EUCROF is the Controller of the following Processing of Personal Data:

  • Edition and distribution of an electronic newsletter on clinical research and EUCROF's activities
  • EUCROF Members Registry maintenance
  • EUCROF Working Groups
  • Organisation of webinars on clinical research topics
  • Organisation of a European conference on clinical research
  • Corporate Website set-up and maintenance

3. EUCROF Key commitments

As a Controller, EUCROF complies with the following principles:

  • Personal Data are only used for explicit, legitimate and defined purposes as described in this Data Privacy Policy;
  • Only strictly useful Personal data are collected and processed: EUCROF applies the concept of privacy by default, which protects Data Subjects from excessive data collection;
  • Data are not kept longer than needed for the purposes for which they were collected and the corresponding legal requirements if any;
  • EUCROF neither communicates nor transfers Personal Data to third parties except to authorised Recipients as strictly required for the purposes defined beforehand;
  • Personal Data are entrusted to Processors providing appropriate technical and organisational guarantees to ensure the protection of the data they are entrusted with under the instructions of EUCROF;
  • Data Subjects are informed regularly and in advance, in a clear and transparent way, on the purpose of use of their data, the optional or mandatory nature of their answers in the forms, their data protection’s right and procedures for the effective exercise of these rights and on the identity of the Recipients;
  • Whenever required by the Regulation, explicit, informed, active and unambiguous consent of the Data Subjects is collected for the Processing of their Personal Data;
  • Appropriate logical, technical, organisational and legal security measures have been defined on the basis of a risk analysis of the different Processing of Personal Data, and are implemented by EUCROF and its Processors to ensure the protection of such Personal Data;
  • Where a Processing of Personal Data presents an identified risk, EUCROF has carried out a Data Subjects’ privacy and data protection impact assessment, and adopted concrete countermeasures to mitigate such risk;
  • EUCROF and its Processors are committed to design and develop or implement tools and systems embedding compliance with the Regulation and Data Subjects’ privacy at their core. Therefore, EUCROF complies with data protection by design and by default principles that allow the development of responsible tools and systems;
  • EUCROF and its Processors are committed to control any possible and unusual data violation and to take all necessary protection and correction measures following a data violation and if need be informing the concerned Data Subjects.

Representatives of EUCROF and subcontractors are regularly made aware of data protection principles and informed of their corresponding responsibilities in this regard.

4. Contacting EUCROF

EUCROF is committed to ensure compliance with the Regulation and the rules described within this Data Privacy Policy, and in particular:

  • to establish and keep up to date a record of Processing activities implemented by EUCROF;
  • that the procedures are compliant with the Regulation and their subsequent developments;
  • to enhance awareness among EUCROF teams of the requirements and best practices regarding Personal Data protection;
  • The effective exercise of the Data Subjects’ rights.

For any question and / or enquiry relating to Data Protection matters, please write to the following address:

  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

5. Use of Data and Data Subject’s consent

EUCROF uses Personal Data for the following purposes:

  • Recipients of the Electronic Newsletter
  • Members Registry, including the Executive Board, Full Members Board and the Financial Auditing Committee
  • Working Groups Members Lists
  • Webinar Participants
  • Conference Attendees
  • Corporate website streamlined browsing and visiting statistics.

The Processing of the Personal Data is based on the Data Subject’s consent:

  • Recipients of the Electronic Newsletter give their consent by completing and submitting the electronic newsletter registration form;
  • The persons representing EUCROF Members, Associate Members and Partners acknowledge providing their consent when applying for membership, associate membership and partnership;
  • The persons willing to participate to EUCROF working groups acknowledge providing their consent when applying for joining such working group;
  • The persons willing to participate to a webinar organised by EUCROF acknowledge providing their consent when registering to attend such webinars;
  • The persons willing to participate to a conference organised by EUCROF acknowledge providing their consent when registering to attend the said conference;
  • The persons browsing the EUCROF website are informed of the use of cookies and how the data collected by these cookies is used.

The Data Subject may withdraw his or her consent at any time and without justification by writing to the EUCROF email address specified in article 3 to this Data Privacy Policy.

In this case, he or she acknowledges that he or she will no longer be able to benefit from the services delivered by EUCROF.

The withdrawal of the Data Subject’s consent shall not affect the lawfulness of Data processing carried out before the withdrawal of his or her consent.

6. Convention of proof

Data Subjects are aware that their login, passwords and all activation clicks within the EUCROF information system will be evidence of their identification and acceptance of the Processing of their Personal Data and will establish their electronic signature in accordance with the Regulation, until proven otherwise. Through this process of electronic signature, Data Subjects expressly agree that the data held in the EUCROF information system have conclusive force with regards to performance of their obligations. Data held in the EUCROF information system are evidence which, if they are offered as evidence in any litigation procedure or in any other proceedings, will be admissible and invoked against the concerned Data Subject the same way and with the same conclusive force as any other document that may be drawn up, received or held in writing.

7. The Recipients

EUCROF assesses on a case by case basis, the Recipients of Personal Data considering their mission and clearance to receive data in accordance with the specified purposes.

Personal Data of the Data Subjects are strictly accessible by EUCROF for the purpose described in article 4. “Use of Data”.

EUCROF uses data Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of the Regulation and ensure the protection of the rights of the Data subjects.

Personal Data of Data Subjects may also be accessible by any regulated profession authorised to receive data for the satisfaction of legal and regulatory obligations, such as in particular auditors, accountants, any auditor of a competent authority, courts, judicial authorities …

EUCROF guarantees that Personal Data of Data Subjects will not be transmitted to any unauthorized third party.

8. Data Storage period

EUCROF has established appropriate rules applying to the storage period of Personal Data to strictly limit such period to the necessary duration.

When Personal Data are processed to give authorised representatives of EUCROF Members, Associate Members and Partners access to online services, EUCROF ensures that Personal Data are stored for the duration necessary for the use of these services.

If such access is no longer used by the authorised representative for 12 months, EUCROF will note the inactivity of the personal account and will proceed with its closure.

After the closure of the access, the Personal Data will be deleted.

Personal Data maintained as part of the mailing list of recipients of the EUCROF electronic newsletter, are stored for a period of three years after the collection of Data Subject’s consent.

His or her Personal data will then be deleted unless he or she has expressed to EUCROF his or her wish to continue to receive such information.

9. Data Security

Data security relies on the measures taken to protect the Personal Data from:

  • Destruction;
  • Loss;
  • Tampering;
  • Unauthorised disclosure of transmitted, stored or processed Personal Data,
  • Unauthorised access to such data, accidentally or in an unlawful manner.

In order to guarantee the safety of Personal Data, EUCROF and its Processors implement appropriate technical and organisational measures taking into account the state of knowledge, costs, nature, scope, context and purposes of the data processing.

When necessary, the following measures are implemented:

  • pseudonymisation and encryption of Personal Data;
  • Use of means to ensure the ongoing confidentiality, integrity, availability and resilience of systems and Processing of Personal Data;
  • Use of means to restore the availability and access to Personal Data within an appropriate timeframe in the event of a physical or technical incident;
  • Implementation of a procedure aiming to regularly test, analyse and assess the efficiency of technical and organisational measures to ensure the security of data processing.

EUCROF and its Processors implement appropriate devices, compliant with the state of art and applicable standards to ensure the protection of the Personal Data.

Where Personal Data are collected on the website, the website security is reinforced.

10. Data Protection Related Rights

Each and every Data Subject has the right:

  • To access his or her Data (Right of Access): the Data Subject has the right to obtain directly from EUCROF confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, obtain the communication of such Personal Data and any related relevant information;
  • To obtain the rectification of his or her Personal data (Right to rectification): the Data Subject has the right to obtain from EUCROF without undue delay the rectification of inaccurate Personal Data concerning him or her. If his or her Personal Data are incomplete, the Data Subject has also the right to have such Personal Data completed. In this respect, the Right to rectification completes the right to access;
  • To obtain the erasure of Personal Data (Right to be forgotten): the Data Subject has the right to obtain from EUCROF the erasure of his or her data where one of the legal grounds applies;
  • To obtain the restriction of Processing of his or her Data (Right to restriction of processing): the Data subject has the right to obtain from EUCROF restriction of Processing where one of the legal grounds applies;
  • To obtain the portability of his or her Personal data (Right to data portability): the Data Subject has the right to receive his or her Personal Data collected by EUCROF in a structured, commonly used and machine-readable format and has the right to transmit such Personal Data to another Controller where one of the legal grounds applies;

The Data Subject can also oppose, where legal grounds apply, the Processing, diffusion, transmission, storage and hosting of his or her Personal Data.

The Data Subject can exercise these rights at any time and without justification by writing to the EUCROF email address specified in article 3 to this Data Privacy Policy.

When submitting a request and to facilitate such procedures, EUCROF encourages Data Subjects to:

  • Specify which right is being exercised;
  • Cleary mention her or his name and contact details;
  • Attach a copy of their I.D.

11. Complaints before a supervisory authority

All Data Subjects have the right to lodge a complaint with a supervisory authority. The activities of EUCROF are carried out within the whole European Territory and therefore potentially include cross-border data transfers. The lead supervisory authority for EUCROF is:


Commission Nationale de l'Informatique et des Libertés - CNIL

3 Place de Fontenoy

75334 PARIS Cedex 07

Tel. +33 1 53 73 22 22

Fax +33 1 53 73 22 00


12. Transfer to third countries and international organisations

EUCROF is a European organisation with international reach. Although the large majority of its Members, Associate Members and Partners are based in countries of the European Union, this is not the case for all of them. However, EUCROF will not transfer Data Subjects’ Personal Data outside of the EU.

13. Cookies

EUCROF website uses cookies.

13.1     What are Cookies?

Cookies are small files that are stored locally in the cache of the visitor's Internet browser. They serve to make the website more user-friendly, effective and secure - for example, when it comes to accelerating navigation on the platform. In addition, cookies enable measurement of the frequency of page views and general navigation. The setting of how long cookies are stored, when they are deleted or whether they are generally rejected, can be specified in the settings of the browser. Please read the instructions for your browser. Please notice, that in this case you may not be able to use all functions of this website to their full extent.

In the context of this Data Privacy Policy, a "cookie" should be understood in its broader definition covering any type of browsing tracers, regardless of the type of terminal used and concerns for example, the tracers deposited on computers, smartphones, digital tablets and video game consoles connected to the Internet.

Cookies serve as the website’s memory by enabling it to recognize the computer device of the user during his subsequent visits. They also allow to compile statistics of visits, to improve the user experience, etc.

To find out more about cookies, including how to control and delete them, visit

  • What kind of cookies and for what purpose?

EUCROF’s website uses session cookies, deleted as soon as the browser is closed, and permanent cookies deposited on computers, smartphones, digital tablets used to access the website for a determined and longer period of time.

Cookies used on the website aim to:

  • improve navigation within the website to be able to use each of its functionalities and to log in the personal account if any;
  • to produce statistics of use of the various elements composing the website

EUCROF does not use targeting or advertising cookies within the website.

The following cookies are being used on the EUCROF website:

13.2     Information and consent

Regarding the use of audience measurement cookies and persistent cookies, an information banner is displayed when connecting to the website, to inform the Data Subjects prior to the deposit of these cookies and to collect their prior consent.

Data Subjects’ consent is valid for 12 months.

13.3     Cookies’ control

Data Subject can express and modify their wishes regarding cookie at any time.

14. Modification of this Data Privacy Policy

The Data Privacy Policy is subject to changes. When changes occur, EUCROF is committed to inform Data Subjects prior to the implementation of the scheduled changes that could impact the Personal Data.

EUCROF will make its best efforts to inform about the eventual impacts of such changes.

Prior to its release, this document was approved by the Executive Board and the Full Members Board of EUCROF. This document is subject to yearly revisions.

September 19th, 2018