DATATRAK International, Inc. (the “Company” or “DATATRAK”) believes it complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as provided in the guidelines set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. The Company has certified to the U.S. Department of Commerce by application dated August 25, 2010 that it intends to use reasonable efforts to adhere to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement as prescribed in the guidelines released by the U.S. Department of Commerce. To learn more about the Safe Harbor program, and to view the Company’s certification, please visit http://www.export.gov/safeharbor.

At DATATRAK International, Inc. the protection of personal data is critical for our Company and our customers because information is the foundation of our business. Our Company receives, maintains, and uses different types of personal data as listed below:

• Medical research subjects data, which are uniquely key-coded at their origin by the principal investigator to protect the identity of individual data subjects. This key code is generally maintained only by the researcher, so that they can identify the research subject under extraordinary circumstances. DATATRAK, as a third-party vendor providing technology and certain complementary services that support the medical research data collection and maintenance and does not, at any time during the course of its services, receive this key code and further at no time has access to any protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 as amended thereafter (HIPAA). Data entered into, analyzed by or recorded in the Company’s technology solution (DATATRAK eClinical) are hosted in a secure environment and enable the Company’s client to maximize the efficiencies in the clinical trial process by leveraging the Company’s technology solution and related services offering.
• Personal contact information of individuals authorized to access DATATRAK eClinical (e.g. names, etc.), and this information is used only to perform our clinical study related services as specified in the underlying contract for same. The personal contact information is not shared with third parties, unless stated otherwise in the applicable contract or agreement, in special circumstances warranting such disclosure or as necessary pursuant to an applicable law, rule or regulation.
• Personal information of employees. This information is maintained in secure electronic systems and this personal information is not shared with third parties, unless specifically stated otherwise, in special circumstances warranting such disclosure or as necessary pursuant to an applicable law, rule or regulation.

The following privacy statement outlines our intended objectives with respect to our customers’ privacy and the protection of personal information.

DATATRAK International, Inc. uses reasonable efforts to:

• Protect the confidentiality of sensitive electronic personal information by implementing customary security measures to protect against the compromise of the information under our sole control. While we make every effort to ensure the security of the network and systems where the information is maintained, we cannot guarantee or provide any assurances that our security measures then in place will prevent thirdparty “hackers” from illegally obtaining this information.
• Maintains written procedures regulating the measures above.
• Uses personal contact information from its clients’ users authorized to access DATATRAK eClinical:
• In connection with the use of the study site or our products or services.
• For responding to customers staff inquiries, comments and suggestions.
• For notification about products and services provided by DATATRAK.
• As required by law, rule or regulation, or as requested by government authorities.

Other than as listed above, DATATRAK does not share personal contact information with any third party without the consent of the proper party or entity. Personal information submitted to us is only available to DATATRAK employees, contractors, partners, agents and representatives managing this information for the purposes of delivering its services for a clinical trial or study.

NOTICE: DATATRAK will inform employees and those individuals participating in a clinical trial deployed on DATATRAK eClinical (each an “Individual” and collectively the “Individuals”) about the purposes for which it collects and uses personal information about them, who to contact with any inquiries or complaints, the types of third parties to which it discloses the personal information and the choices and means the Company offers Individuals for limiting the use and disclosure of such collected personal information.

CHOICE: DATATRAK will offer Individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the Individual. For sensitive personal information (as defined in the Safe Harbor Principles issued July 21, 2000, hereafter the “Principles”), DATATRAK takes reasonable precautions to offer an affirmative or explicit (opt in) choice if such information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the Individual through the exercise of opt in choice. DATATRAK will take reasonable precautions to treat as sensitive any information received from a third party where the third party treats and identifies it in writing as sensitive.

ONWARD TRANSFER: To disclose information to a third party, as of the Effective Date of this Policy, DATATRAK will ascertain that the third party subscribes either to (i) the Principles, (ii) is subject to the European Union Privacy Directive on Data Protection effective October 25, 1998 (the “Directive”), (iii) another adequacy finding, or (iv) will enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles.

SECURITY: DATATRAK will take reasonable precautions to protect personal information from loss, misuse and unauthorized access and disclosure.

DATA INTEGRITY: DATATRAK will take reasonable precautions to utilize personal information only for the purposes for which it which it has been collected or subsequently authorized by the Individual. To the extent necessary for those purposes, DATATRAK will take reasonable steps to ensure that data is accurate and complete in all material respects and to the best of its knowledge.

ACCESS: DATATRAK employees will have access to or the opportunity to request access to personal information about them and are able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the employee’s privacy in the case in question, or where the rights of persons other than the employee would be violated.

ENFORCEMENT: DATATRAK will perform reasonable periodic reviews of the measures described above in order to address any deficiencies that may arise. With respect to recourse for Individuals, DATATRAK encourages its personnel to raise any concerns using the contact information below. In the event that a dispute related to this Policy or the Principles cannot be resolved through our internal complaint process, we will cooperate and comply with the applicable data protection authorities. If DATATRAK does not comply with this Policy, we will take appropriate steps to address any issues and take corrective action steps to ensure future compliance. DATATRAK employees who do not follow this Policy will be subject to discipline as determined by DATATRAK and applicable law.

Any complaints or questions related to this policy can be directed to Shiela McLaughlin by email (shiela.mclaughlin@datatrak.net) or by phone (979-393-9028).