Privacy and GDPR

How Crucial Data Solutions Supports Privacy and GDPR

Table of Contents:

25 May 2018 marked the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. Naturally, personal data is a part of the arch and clinical trials, so we have been busy making sure that we are compliant.

This article provides an overview of the data-related roles and responsibilities when you’ve chosen TrialKit as your research platform and will explain Crucial Data Solutions (CDS) efforts to live up to the values and requirements of the GDPR.

Crucial Data Solutions as the Data Processor

The people you store in TrialKit as Users and Subjects are your data subjects, and you are considered the data controller for this personal data. In our Terms of Service and Privacy Policy, we refer to this data as Client Data. 

Using the TrialKit system and products to manage your users and study subjects means that you have engaged Crucial Data Solutions (CDS) as a data processor to carry out certain processing activities on your behalf.

According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Terms of Service and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions that you are giving to CDS with regard to processing the personal data you control and establishing the rights and responsibilities of both parties. CDS will only process your Client Data based on your instructions as the data controller.

Hopefully, this helps you to better navigate the EU’s data protection requirements. If you have any questions with regard to the above, you’re welcome to reach out to us at and we’ll do our best to explain things further.

Crucial Data Solutions as the Data Controller

Additionally, Crucial Data Solutions acts as the data controller for the personal data we collect about the primary account Administrator, the user of our web app, mobile apps, and website.

First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).

What Are These ‘Legitimate Interests’ We Talk About?

Improving the mobile app and website to help provide you with a more powerful research data collection tool.

Making sure that your data and TrialKit’s systems are safe and secure.

Responsible for marketing our product and its features.

As the controller for your personal data, Crucial Data Solutions is committed to respecting all your rights under the GDPR.

If you have any questions or feedback, please reach out to our Data Protection Officer by email at

What is Crucial Data Solutions Doing for the GDPR?

As a company with users in Europe and around the globe, Crucial Data Solutions is very much up to speed with the implications that the EU General Data Protection Regulation has for businesses.

We appreciate the privacy needs of TrialKit users, as well as underlying subjects, and have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Crucial Data Solutions.

Internal Processes, Security, and Data Transfers

A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. We have added elements to our application development cycle to build features in accordance with the principles of Privacy by Design. Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.

We have established a process for onboarding third-party service providers and adopting tools that make sure that these third parties meet the high expectations that Crucial Data Solutions and its customers have when it comes to privacy and security. We have further launched a data center in Europe to store the databases of EU customers to improve performance and provide additional assurance that your data enjoys the level of protection envisioned by the GDPR.

Readiness to Comply With Subject Access Requests

Data subjects’ ownership of their personal data is at the heart of the GDPR. We have created a readiness to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data, in addition to providing the prompt and courteous customer support experience that you are accustomed to.


Our Terms of Service and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements. As these are the basis for our relationship with you, it is very important for us to comprehensively and openly explain our commitments and your rights in these documents. Additionally, we’re constantly mapping all our data processing activities to be able to comply with the GDPR accountability requirements.


All of the above is supported by extensive training efforts within the company so that the GDPR-compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.

Crucial Data Solutions is firmly convinced that meeting GDPR requirements is much more than just checking off boxes in a list. For us, the GDPR is truly a lifestyle of respect for individuals’ privacy and responsibility in handling personal data.


Q: What is the EU-US Privacy Shield Framework?

A: The EU-US Privacy Shield Framework was developed and agreed to by the European Commission and the US Department of Commerce in 2016. It enabled US organizations certified under the programs to legitimately receive personal data from the EU.  More information about the programs may be found on the U.S. Department of Commerce’s website at Privacy Shield Home.

Q:  What has happened to the EU-US Privacy Shield Framework?

A:  On 16 July 2020, the European Union Court of Justice (CJEU) declared the EU-US Privacy Shield program invalid. As a result, organizations can no longer rely upon their Privacy Shield certification as a method for transferring personal data from the EU to the US.

Q: What does this mean for my company using Crucial Data Solutions' products and services?

A: To ensure that transfers of personal data from the EU to the US can occur in line with European data protection laws, we will enter into the Standard Contractual Clauses (sometimes referred to as model clauses) with our customers upon request. These Standard Contractual Clauses legitimize the transfer of personal data from the EU to the US.

Q: What are the Standard Contractual Clauses?

A: The Standard Contractual Clauses are a set of contract terms created by the European Commission to legitimize the transfer of personal data from Europe.

Q: How does my company incorporate Standard Contractual Clauses into my CDS contract?

A: You should complete, sign, and return the Standard Contractual Clauses to  The Standard Contractual Clauses, by its terms, will be incorporated into your existing agreement with CDS.

Q: What should I do if I have additional questions?

A: Please contact and we will be happy to assist you.