TMF Solutions Global Privacy Statement

This Global Privacy Statement outlines the key principles and practices we uphold to guarantee the lawful, secure, and ethical management of personal data in TMF-related activities.

1. Global Regulatory Alignment
Cencora’s TMF services operate in accordance with the requirements of major privacy and data protection regimes, including but not limited to:

• EU General Data Protection Regulation (GDPR)
• UK GDPR and Data Protection Act 2018
• United States HIPAA and state privacy laws (e.g., CCPA/CPRA)
• Canada’s PIPEDA and provincial health privacy laws
• Japan’s Act on the Protection of Personal Information (APPI)
• South Korea’s Personal Information Protection Act (PIPA)
• Australia’s Privacy Act 1988
• Switzerland’s revised Federal Act on Data Protection (revFADP)
• India’s Digital Personal Data Protection Act (DPDPA)

Our TMF services are designed to meet or exceed the obligations set forth by these laws with respect to transparency, pu rpose limitation, data minimizatio n, security, access rights, retention, and international transfers.

2. Privacy by Design and Default
Privacy is embedded in the design of our TMF platforms, technologies, and operational procedures. We apply robust privacy by design and by default measures across the entire TMF lifecycle, from study start-up through archiving and post-trial obligations. This includes:

• Limiting access to personal data based on roles and responsibilities
• Systematic pseudonymization or redaction of personal identifiers where feasible
• Granular permissioning and audit trail functionality
• Ongoing risk assessments and data protection impact assessments (DPIAs) for TMF workflows
• Configurable retention rules aligned with applicable legal and regulatory requirements

3. Data Subject Rights Assurance
Cencora TMF services include mechanisms that support the exercise of data subject rights under applicable laws. These mechanisms allow authorized sponsors and CROs to respond effectively to:

• Requests for access to personal data stored in the TMF
• Correction or rectification of inaccurate or outdated data
• Anonymization of data for legal or scientific purposes
• Restrictions on processing where legally applicable

All TMF platforms and service processes are structured to uphold individual rights without compromising regulatory compliance or clinical research integrity.

4. Secure Data Hosting and Cross-Border Transfer Controls
Cencora ensures that all TMF data is hosted in secure, access-controlled environments. We maintain data residency options in key regions, including the EU, UK, US, and APAC, to support client-specific hosting and jurisdictional requirements. Where cross-border transfers of personal data are necessary, Cencora implements appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• International Data Transfer Agreements (IDTAs)
• Country-specific adequacy assessments

All transfers are subject to contractual and technical measures to prevent unauthorized access, ensure integrity, and preserve data confidentiality.

5. Contractual and Organizational Accountability
Cencora acts as a data processor or sub-processor in TMF services, depending on the specific engagement model. Our contracts clearly define roles, responsibilities, and data protection obligations in alignment with Article 28 of the GDPR and similar frameworks globally. All employees and subcontractors involved in TMF services are trained in data protection principles and subject to:

• Confidentiality agreements
• Background checks (where permitted)
• Ongoing privacy and security training programs
• Monitoring and accountability frameworks

We conduct regular internal audits and third-party assessments to ensure compliance and transparency.

6. Third-Party Vendor Management
Cencora’s TMF services may involve engagement with carefully vetted third-party vendors for functions such as:

• Electronic document management systems (eTMF platforms)
• Secure cloud infrastructure
• Archiving and disaster recovery
• Specialized regulatory support

Each vendor is assessed for their data protection posture and must meet stringent contractual, technical, and organizational standards. We maintain an approved sub-processor list, available to clients upon request.

7. Retention, Archiving, and Deletion Standards
Cencora TMF services follow industry best practices and sponsor-specific requirements for the retention and archival of TMF content, including personal data. We ensure that:

• Retention periods are configurable and aligned with ICH E6(R2), EMA GCP guidelines, and local regulations
• Archived data remains accessible and tamper-proof throughout the retention lifecycle
• Secure deletion or anonymization is performed upon expiry of the retention term, with full audit logs and certificates of destruction provided

Where country-specific purging laws apply, we collaborate with sponsors to implement compliant processes and evidence mechanisms.

8. Transparency and Client Collaboration
Cencora is committed to transparency and proactive communication with clients. As part of our TMF services, we offer:

• Privacy and compliance documentation, including data protection agreements (DPAs)
• Regular compliance updates to reflect changes in laws or enforcement practices
• Optional data protection impact assessments (DPIAs) support
• Participation in sponsor-led audits and regulatory inspections

We work closely with sponsor privacy, compliance, and clinical operations teams to ensure continuous alignment with evolving regulatory requirements.

9. Incident Response and Breach Management
In the unlikely event of a data security incident, Cencora TMF services follow a documented and tested incident response plan, including:

• Prompt detection and containment of potential breaches
• Notification to clients without undue delay
• Detailed investigation and root cause analysis
• Remediation and preventive actions
• Support for regulatory notifications where required

All incidents are logged, tracked, and reviewed to ensure full accountability and continuous improvement.

10. Ongoing Commitment to Privacy Excellence
Cencora views privacy and data protection not only as legal requirements but as integral components of ethical research and sponsor trust. Our privacy governance model is overseen by a dedicated global privacy office and supported by cross-functional compliance, legal, clinical, and technology teams.
 
We continually monitor changes to the global privacy landscape and evolve our TMF services to reflect emerging legal standards, industry best practices, and client-specific needs.