Under the EU’s General Data Protection Regulation (GDPR), a data controller is the organization that determines the purposes and means of processing personal data. In other words, the data controller decides the how and why of a data processing operation. A data processor, on the other hand, is an organization that processes personal data on behalf of a data controller. Whether working as a data controller or a data processor, BC Platforms is committed to upholding the principles and requirements of GDPR across all of our operations. We implement appropriate technical and organizational measures to protect data and uphold the rights of data subjects. As a data processor, we only process personal data for specified, explicit and legitimate purposes as instructed by our clients and partners.

BC Platforms maintains comprehensive safeguards and protections to enable customers to freely and securely transfer personal data from the EU/EEA in compliance with Schrems II ruling. Our solutions and cloud services adhere to the highest standards of data security for cross-border data transfers, and we maintain EU adequacy by adopting the full suite of standard contractual clauses and binding corporate rules for data exports.

​​​The adequacy decision of July 10, 2023, on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework. With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards required by the Schrems II. The new UK-US Data Bridge brought similar developments for data transfers from the UK to the US. ​​

​​Similar legislation on international data transfers exists in all countries of our and our customer and data partner operations. Therefore, it is all the more important to offer full transparency and auditability around data handling. BC Platforms continuously follows the legislative developments around the world and evaluates and updates technical and organizational measures to identify and mitigate any potential risks to personal data.​​

Read more on safe and trusted EU-US data flows:
https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721​​

For more information on the Schrems II ruling read the European Court of Justice judgment:
https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf​​

Refer also to new developments in the UK-US data bridge:
https://www.onetrust.com/blog/what-the-new-uk-us-data-bridge-means-for-your-organization/ ​​

For more information on the Personal Data Protection Act of Singapore, please see:
​​​https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act​​

​​​For more information on the Swiss Federal Act on Data Protection, read the following:
​​​https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/digitization/data-protection/new-federal-act-on-data-protection-nfadp.html​​

BC Platforms has the capacity to comply with all applicable standards and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA) when needed. We have comprehensive policies and safeguards in place to ensure the privacy and security of PHI. Our systems are designed to limit PHI access only to authorized individuals who operate under strict confidentiality agreements. We conduct employee training on safe handling of PHI and our vendor management policies emphasize security and privacy in all parts of the supply chain. BC Platforms utilizes security controls like encryption and access logging to protect PHI against unauthorized use or disclosure. As per HIPAA guidelines, we have business associate agreements (BAAs) with our customers and partners as needed. We report any potential breach or disclosure of PHI as required by law. We remain transparent and accountable in our commitment to protecting sensitive patient health information.

Following the introduction of US Food and Drug Administration’s policy for accepting RWD in addition to traditional clinical trial data in new drug applications, BC Platforms is committed to supporting access to real world data which can be used in support of submissions done under FDA regulations.

RWD planning should start early in a clinical development program and run alongside randomized clinical trial (RCT) activities. This ensures an optimal regulatory submission package with gold-standard RCT data strengthened by RWD for additional context around endpoints in clinical practice, under-represented populations, and long-term or rare events.

BC Platforms has capabilities for maintaining audit trails of data, starting from extracting RWD sources through maintenance and retention of dataset(s), including the tracking of user access, data changes, changes to the protocol, and analyses performed. The RWD and associated programming codes and algorithms are documented, well-annotated, and complete, allowing FDA to replicate the study analysis using the same dataset and analytic approach.

BC Platforms can provide solutions which fully comply with 21 CFR Part 11 regulations governing electronic records and signatures in pharmaceutical research. Our systems meet the FDA requirements for data integrity, audit trails, system security, and electronic signature controls. We enable customers to securely collect, analyze, and report clinical trial data per 21 CFR Part 11 standards.

BC Platforms upholds all regulations set forth by the European Medicines Agency (EMA) governing the processing and management of data related to medicinal products. We have robust information security systems and protocols in place to ensure the confidentiality and integrity of clinical trial data. Our platforms and solutions enable customers to comply with EMA standards for electronic records and signatures used in clinical trials.

BC Platforms maintains high quality systems validated per GAMP 5 guidelines that adhere to principles of data privacy, transparency and ethics established by EMA. We provide full audit trails and are committed to cooperation with inspections by EU authorities. Through our strong data governance policies and commitment to compliance, BC Platforms enables pharmaceutical clients to securely collect, process and submit clinical trial data to meet all EMA regulatory obligations.

BC Platforms is fully committed to complying with the U.S. Cloud Act which governs law enforcement access to data stored by cloud service providers. We have stringent policies and procedures in place to ensure that any requests we may receive from law enforcement entities for customer data are carefully validated and vetted for legal sufficiency. We only disclose customer data when compelled by court orders and notify affected customers as permitted by law.

Our cloud architecture provides logical separation of customer data to prevent unauthorized access. We use encryption technologies to secure sensitive data at rest and in transit. BC Platforms undergoes independent audits to verify our data security controls consistently meet or exceed Cloud Act requirements. We are transparent with our customers about our data handling practices. Through stringent controls and being fully accountable, BC Platforms helps customers globally leverage the cloud while adhering to the Cloud Act provisions regarding lawful access to data.

BC Platforms is fully committed to complying with the new EHDS guidance and will register as a data intermediary well before the 2025 deadline. Our project experience in Europe with initiatives such as HDR-UK and FinnGen positions us well for the EHDS federated approach. ​​

​​​See also:​​

​​​https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_2712

https://publications.jrc.ec.europa.eu/repository/handle/JRC133988