Privacy

Young boy laying down and looking at his mom, who is standing next to him in a yellow shirt, while two doctors prepare him for an MRI scan.

ImagingDMD UF Privacy Policy

ImagingDMD UF is committed to protecting and preserving your privacy. This
“ImagingDMD UF Privacy Policy” provides information about how we process any
personal data we collect from you, that you provide to us, or that we obtain about you in connection with your involvement with the ImagingDMD UF as 1) a subject in a clinical trial, 2) employees, contractors, imaging sites, sponsors, vendors, suppliers, or business partners, or 3) individuals who access ImagingDMD UF websites or engage in email or other electronic communications with ImagingDMD UF for the purposes of commercial interest or personal communications.

The purpose of this “ImagingDMD UF Privacy Policy” is to describe the ImagingDMD policies and standards for complying with the European Union’s (EU’s) General DataProtection Regulations (GDPR) that are relevant to ImagingDMD UF and to your personal data if you are located within the European Economic Area (EEA). We follow the following principles to ensure that your personal data is reliable for its intended use, and is accurate, complete, and current. Your personal data must be:

• Processed lawfully, fairly and in a transparent manner to you;
• Collected only for specified, explicit, and legitimate purposes, and not further
processed in a manner that is incompatible with those purposes;
• Adequate, relevant, and limited to what is necessary for those purposes;
• Accurate and up-to-date, as necessary;
• Stored for no longer than is necessary for the intended purposes; and
• Secure and protected from accidental or unlawful destruction, loss, alteration,
unauthorized access, or disclosure.

Data Processing on Behalf of Sponsors of Clinical Trials – Subjects

ImagingDMD UF typically serves as a specialized imaging services vendor in clinical
studies involving data subjects, such as patients with rare diseases. In the course of this business activity, it is necessary for us to access, collect, process, use, transmit, disclose, store, and otherwise handle personal data from these data subjects on behalf of clinical trial sponsors, who are usually pharmaceutical, biologics, or medical device researchers that are monitored by regulatory agencies, such as the Food and Drug Administration (FDA) in the U.S. and the European Medicines Agency (EMA) in the EU. When these processing activities are subject to the GDPR we will be acting as “data processors” as directed in a data processing agreement with the sponsor, who is acting as a GDPR “data controller.”

The personal data that we may collect and process about you, if you are a clinical trials data subject, includes medical images that are collected at an imaging site, demographic information about you, and measurements and assessment data from the Proprietary and Confidential Page 2 of 6 images. We typically do not collect your name or other identifying information such as email address, telephone number, or postal address. Clinical trial sponsors determine the means and purposes of such processing activities, including the personal data that will be collected, how that data will be used and by whom
such data is accessed, and how long the data will be retained. The processing of your
personal data in connection with such clinical trials can be found in the information
provided to you by the clinical trial sponsor and/or imaging site, including the Informed Consent Form (ICF) that was reviewed and acknowledged by you prior to your entry into the clinical trial. Please note that you must contact the sponsor if there are any questions or requests regarding your personal data, since they serve as the Data Controller.

Data Processing related to Clinical Trials – Non-Subject

When ImagingDMD UF collects personal data on data subjects that are not in a clinical trial, such as personal data of ImagingDMD UF employees and contractors, imaging sites and sponsor representatives, and ImagingDMD UF vendors, suppliers, and business partners, the relationships between ImagingDMD UF and these data subjects are defined in contractual agreements. The processing and control of this personal data by ImagingDMD UF is intended to establish and manage our contractual relationships with these parties. These contractual agreements specify the limited use and disclosure of your personal data when we access, collect, process, use, transmit, disclose, store, and otherwise handle personal data for these contracted purposes. Please note that ImagingDMD UF may be forced to disclose your personal information when compelled by a lawful request made by a recognized public authority or where required to meet national security and or law enforcement requirements. The personal data that we may collect and process about ImagingDMD UF employees and contractors, imaging sites, and sponsor representatives, and ImagingDMD UF vendors, suppliers, and business partners includes names, positions, email addresses, telephone numbers, and postal addresses. We do not collect health information about these individuals.

Data Processing of Personal Data from ImagingDMD UF Website and Electronic Communication

When individuals access ImagingDMD UF websites or engage in email or other electronic communications for the purposes of commercial interest or personal communications, we automatically and manually collect and process personal data from the website user or the individual who communicates with us. The personal data that we may collect and process includes your name, job title, company name, email address, telephone number, postal address, and details about the use of the website, such as the Proprietary and Confidential Page 3 of 6
date and time of access and records of the actions you performed while using the website. Note that some parts of our websites may use cookies and other technologies to collect this information about your internet usage. We will also collect and retain the information that you voluntarily provide to us when you communicate with us for any reason. ImagingDMD UF may use this personal data to respond to your requests for information about ImagingDMD UF or its services.
If you voluntarily use this ImagingDMD UF website, you consent to the use of information that you provide us in accordance with this Privacy Policy. Your continued access of the ImagingDMD UF website will be deemed your agreement that your personal data may be used in accordance with this policy. By providing your personal information to ImagingDMD UF in an electronic communication, you agree to the terms of this Privacy Policy and to receive electronic, telephone, and postal communications from ImagingDMD UF. By voluntarily accessing and using this ImagingDMD UF website and sending electronic communications, you agree that you have read and understood this Privacy Policy and that you accept and consent to the privacy practices and uses, retention, or disclosures of information about you. Personal data security controls and systems have been designed and implemented to be accessed only by authorized and trained personnel. ImagingDMD UF will not trade, sell, release, share or transfer your personal data for any use outside the ImagingDMD UF organization or processes without your consent, or in a form other than what was disclosed to you at the time the information was collected, unless permitted or required by law. ImagingDMD UF takes reasonable measures to maintain the confidentiality of your personal data regardless of the country where such information is stored or transferred.

Personal Data Protection and Access Rights

In accordance with applicable data protection and privacy laws, and where contractual commitments require, ImagingDMD UF ensures that you can expect all relevant data privacy, protection, and access rights, including, but not limited to, notification of our privacy policies, your rights of choice and consent or to withdraw consent at any time, to request access to specific information, to request personal data correction or deletion, to request a copy of personal data in a common digital format (e.g., PDF), and to be notified about a suspected or actual breach of your personal data.

Notification of Privacy Policy – This “ImagingDMD UF Privacy Policy” is published on the ImagingDMD UF website (http://ImagingDMD UF.org/) to provide you with information on how ImagingDMD UF handles and processes your personal data if you are a data subject in a clinical trial; for your personal data if you are an ImagingDMD UF employee, contractor, imaging site, or sponsor representative, or a member of an ImagingDMD UF vendor, supplier, or business partner; and for your personal data if you voluntarily access ImagingDMD UF websites or engage in email communications with Proprietary and Confidential Page 4 of 6 the ImagingDMD UF for the purposes of commercial interest or personal communications.
Data Subject Choice and Consent Rights – If you are a clinical trial data subject, the ICF that was provided to you prior to participation in a sponsored clinical trial provided you with the data privacy notification from the sponsor and documentation of your consent to participate in the clinical trial under the stated conditions, including the purpose, use,
confidentiality of information, and your rights as a data subject, which includes withdrawal from participation in the clinical study. ImagingDMD UF is not involved in the ICF process. If you are not involved in clinical trial, you have rights of choice and consent as defined in contractual agreements with the ImagingDMD UF and in this “ImagingDMD UF Privacy Policy.” If you are located in the EU and if contractual agreements do not adequately cover your consent for the ImagingDMD to collect and process your personal data, you can request that your consent (or your subsequent withdrawal of consent) be documented on a “Data Subject Consent Form” or “Data Subject Consent Withdrawal Form” by contacting the ImagingDMD UF via email to privacy-iDMD@phhp.ufl.edu.

Collection and Access to Specific Information – When ImagingDMD UF serves as a data processor in a sponsored clinical trial, your personal data is typically collected from a third-party, such as an imaging site in a clinical study, and designated ImagingDMD UF will ensure that it will be collected and processed lawfully. You have the right to request that we disclose information to you about our collection and processing of your personal data. If you are a clinical trial data subject or patient, you must contact the imaging site or the clinical trial sponsor to learn how you can access your personal data since ImagingDMD UF does not possess the required information to identify you. If you are not a clinical trial data subject, you can request access to your personal data using a “Data
Subject Access Request Form” that can be requested from the ImagingDMD UF via email to privacy-iDMD@phhp.ufl.edu. Once we receive your written request and confirm your identity, we will disclose to you the information that we possess.
ImagingDMD UF must maintain the accuracy, integrity, confidentiality and relevance of your personal data based on the stated processing purposes. Adequate security mechanisms designed to protect personal data must be used to prevent your personal data from being stolen, misused, or abused, and prevent personal data breaches. If ImagingDMD UF uses a third-party supplier or business partner to process your personal data on its behalf, the third-party data processor will follow established ImagingDMD UF security standards and supplier evaluation requirements to assure that the contracted third-parties adequately safeguard your personal data in a manner that is appropriate to the associated risks.

Deletion and Correction Request Rights – You have the right to request that personal data that ImagingDMD UF possesses about you be deleted or corrected if it is incorrect. Proprietary and Confidential Page 5 of 6 If you are a clinical trial data subject or patient, you must contact the imaging site or the clinical trial sponsor to learn how you can exercise these rights. If you are not a clinical trial data subject, you have the right to request a “Data Subject Access Request Form” via email to privacy iDMD@phhp.ufl.edu to formally request that ImagingDMD UF delete or correct any of your personal data that we collected from you and retained, subject to
certain exceptions or requirements in a contractual agreement. Once we receive your
request and confirm your identity, we will delete or correct your personal data in our
records, unless an exception or other requirement applies. If an exception applies, you will be notified that the data will not be deleted, along with specific information about the basis for the exception. If you submit a request to correct, amend or delete your personal data records, the ImagingDMD UF must ensure that your request is handled within a reasonable time frame. If you are a clinical trial participant, since the information necessary to identify you is not collected or maintained by us, you must first communicate with the clinical trial imaging site and/or sponsor to correct, amend, or delete your records, and the sponsor must then communicate the request to ImagingDMD UF. The ImagingDMD UF must record all of the actions to delete personal data in a “Log of Destroyed Personal Data Records.”

Data Portability Rights – You have the right to receive a copy of your personal data in a structured electronic file format such as Adobe PDF, and/or to transmit those data to a designated recipient at no cost to you. If you are a clinical trial participant, you must first contact the imaging site or the clinical trial sponsor to learn how you can exercise these rights. If you are not a clinical trial data subject, you have the right to request a “Data Subject Access Request Form” via email to privacy-iDMD@phhp.ufl.edu to formally request that ImagingDMD UF provide you or a designated recipient with a copy of all of your personal data in an electronic format. There is no charge for the personal data access and transfer actions, and such requests must be processed within one month. The release of the personal data to you or your designate will be documented on a “Data Subject Disclosure Form.”

Data Breach Notification Rights – You have the right to be notified about a suspected
or actual breach of security of your personal data. If you are a clinical trial data subject located in the EU, the sponsor of the clinical trial is responsible for determining whether there is a likely risk to your rights and freedoms as a data subject and for notifying you and the designated EU authority. If you not a clinical trial data subject and if the ImagingDMD UF identifies a suspected or actual personal data security breach, the ImagingDMD UF must perform an internal investigation, properly report the incident, and take appropriate remedial measures in a timely manner, including notification of you as an affected data subject using the “Data Breach Notification Form – Data Subject.” ImagingDMD UF will record the data breach incident information into the “Register of Data Breaches”, which will be maintained in the ImagingDMD UF records archives and reviewed and updated annually. Proprietary and Confidential Page 6 of 6

Communication with the ImagingDMD UF

To communicate directly with us, please send an email to privacy-iDMD@phhp.ufl.edu
or ImagingDMD UF, 2004 Mowry Road, Gainesville FL 32611.