Handling of Personal Information

In Orthomedico, (hereinafter referred to as “the Company”), for the purpose of conducting clinical trials on human subjects (hereinafter referred to as “clinical trials”), in relation to the business of conducting clinical trials on pharmaceuticals, quasi-drugs, food products and etcetera, in order to conduct a clinical trial, the Company may handle Personally Identifiable information (PII) (Name, date of birth, address, telephone number, e-mail address, bank account number, photograph and any other data that can be used to easily identify an individual) from individuals who have given their consent to participate in clinical trials. The following rules are be followed to ensure appropriate handling of the above-mentioned personal information.

Management of personal information

To ensure that personal information is properly managed in compliance with the Personal Information Protection Act and other relevant laws and regulations, a personal information protection manager shall be appointed by the Company to perform such duty.

Collection of personal information and its purposes

The Company collects and uses personal information only under the following circumstances.

A) Personal information of clinical trial participants

• ① Operation and management of webpages (Including email newsletter, selection of eligible individuals etc.)
• ② Recruitment and management of volunteers for clinical trials
• ③ Eligibility check and contact volunteers or trial participants
• ④ Delivery of honorarium to trial participants
• ⑤ Responding to inquiries and requests from trial participants
• ⑥ Questionnaire survey
• ⑦ Data aggregation & statistical analysis, and discussion of proposal of new service(When publishing data, measures will be taken to ensure that individuals are not identifiable.)

B) Personal information obtained from individuals of companies, facilities and organizations etc, with whom the Company does business or has partnership, through access of the Company’s webpages, exchange of business card (including online), organized events and other methods prescribed by the Company.

• ① Operation and management of webpages
  (Including email newsletter distribution, selection of eligible individuals)
• ② Responding to inquiries and requests
• ③ Business meeting, negotiation and execution of contract
• ④ Execution of entrusted work
• ⑤ Provision of information to and communication with suppliers

C) Employees and board members (Including past employees and board members), and their family members whose information was collected according to procedures specified by the Company, and personal data provided by applicants for employment during recruitment procedures or recruitment assistant services.

• ① Discussion, elaboration and contacting in relation to hiring decision, as well as procedures on induction and employment at the time of employment.
• ② Human resource management including employment and retirement process, payroll and other labour management.
• ③ Employment benefits, staff training, health and safety management

The personal information obtained will not be used for any purpose other than those stated above and measures will be taken for this purpose.

Disclosure and provision of personal information to a third party

Within the scope of the purpose of use, the Company may outsource work that involves the handling of entrusted personal information to an external party. If such is the case, the Company will strictly manage and supervise the external party in which the outsourcing is performed.
The Company will properly manage the personal information provided by its clients and will not disclose personal information to third parties, except in the following cases.

• Where required by law
• Where the client has given his/her consent in relation to the disclosure or provision of information
• Where the information is necessary for the protection of human life, body or property of a person and it is difficult to obtain the consent of the person concerned
• Where the information is particularly necessary for improvement of public health or promotion of the healthy growth and development of children, and it is difficult to obtain the consent of the person concerned.
• Where the information is necessary for the cooperation with a state body, a local authority or an individual or entity entrusted in executing the affairs prescribed by law, and obtaining a consent from the individual involved may impede the execution of the affairs concerned.

Measures taken for safety management of “personal data the business holds”

In accordance with the Personal Data Protection Act, the Company takes the following measures to ensure the safety management of acquired personal data.

A) Writing a privacy policy

In order to ensure the proper handling of personal information, a personal information protection policy that covers “Compliance with relevant laws and regulations”, “Acquisition, use and provision of personal information”, “Sources of personal information” and “Response to questions and complaints” is formulated.

B) Establishment of rules for handling of personal data

Rules for the handling of personal data are formulated for all processes respectively, i.e. rules for acquisition/input, use/processing, storage, transfer/transmission, deletion/disposal, etc., concerning handling methods, managers/handlers and their duties. In addition, the Company establishes rules for safety management of personal data, for inspections and audits of the state of data handling, and for outsourcing to external party.

C) Measures for organizational safety management

While having a responsible person/manager appointed for the handling of personal data, the Company states clearly the employees and officers who handle personal data and the scope of personal data handled by such employees and officers. A system for reporting to the responsible person, in the event when a fact or an indication of a breach of the Law or handling rules is detected, is also established.
In addition, the handling rules for the safety management of personal data in its employment regulations, etc., and the means to check the status of the handling of personal data are also in place. Nevertheless, regular inspections and audits of the status of the handling of personal data are conducted.

D) Measures for human safety management

About the handling of personal data, the employees and board members are informed thoroughly about the measures of safety management, educated and trained regularly. Moreover, the roles and responsibilities of managers and handlers of personal data, and their compliance with personal data management procedures is checked from time to time.

E) Measures for physical safety management

In relation to location where important equipment that handles personal data is installed, restrictions to employees and board members that can access it and any equipment that can be brought in, as well as measures to prevent access to personal data by unauthorized persons, are in place.

F) Measure for technical safety management

Access control is implemented to limit the scope of handlers and the personal data databases that are being handled. In addition, together with measures to prevent leaks of personal data, the operation of personal data handling information systems is documented, monitored and audited.

Provision of personal information

All personal data is provided voluntarily by users on their own free will. However, any failure to provide the whole of the required information may result in hinderance to any related procedures, communications and services.

Disclosure, modification and termination of use of “personal data the business holds” & third-party records

If a request for disclosure, modification, addition or deletion of “personal data the business holds” and records provided to third parties is received, notification of the purpose of use, or refusal to use or provide such data, the Company will respond promptly in accordance with established procedures. If a disclosure of personal data, etc. is needed, please contact the Company and the person in charge will respond to your request.

General inquiries and complaints about handling of personal information

For inquiries about the handling of personal information, or requests concerning matters such as consultation, complaint or disclosure, please contact the Company using the following contact information for assistance.