ICON EU-US, the UK Extension and EU-Swiss Data Privacy Framework

This policy was last updated on 20 October, 2025

Data Privacy Framework Policy

ICON is committed to protecting your privacy. This privacy policy (the “Policy”) sets out the privacy principles which ICON follows with respect to transfers of personal data from the European Union (EU) and Switzerland and the United Kingdom (and Gibraltar) to the United States including personal data relating to employees, customers, business partners as well as the personal information of healthcare professionals and clinical study participants where ICON is providing services to its customers as a Clinical Research Organisation.  

Data Privacy Framework

ICON complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  ICON has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  ICON has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Scope

This Policy applies to all personal information, whether in electronic or paper format, received by ICON in the United States from the EU, and Switzerland and the UK and outlines our general policy for the implementation of the Principles. 

Definitions

For the purposes of the Policy, the following definitions shall apply:

“Agent” means any third party processing personal information on behalf of, and under the instruction of ICON.

“European Union” or “EU” means for the purposes of this Policy all countries within the European Economic Area (EEA).

“ICON” means ICON Clinical Research LLC as well as its  affiliates, subsidiaries, divisions and groups in the United States listed as “Covered Entities” on ICON’s Data Privacy Framework certification located at http://www.dataprivacyframework.gov and at schedule 1 of this Policy.

“Personal data” and “personal information” means data about an identified or identifiable individual that are within the scope of the Directive, received by ICON in the United States from the European Union, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.

“Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sex life. In addition, ICON will treat as sensitive, any information received from a third party where that third party treats and identifies the information as sensitive.

Privacy principles

The privacy principles in this Policy are in accordance with the Principles set out in the EU-US DPF and the UK Extension to the EU-U.S. DPF and the Swiss-US DPF.

Notice

Where ICON collects personal information directly from individuals in the EU, the UK or Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which ICON discloses that information, and the choices and means, if any, that ICON offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to ICON, or as soon as practical thereafter, and in any event before ICON uses the information for a purpose other than that for which it was originally collected.

Where ICON receives personal information from its subsidiaries, affiliates or other entities in the EU, the UK or Switzerland, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to who such personal information relates.

During the conduct of its operations, ICON may collect and process personal information relating to:

1. Study participants, clinical research investigators and their staff as well as medical and healthcare professionals. The collection of personal information such as contact information, qualifications, debarment status and account information is to facilitate the proper conduct of research studies and to carry out other study related services. Information collected may be transferred to the Sponsor of a study, business partners, ICON affiliates and third-party service providers performing study related duties and may furthermore be transferred to regulatory authorities.
2. Customers, vendors and consultants. ICON keeps contact information, account numbers and information relating to billing, together with other information which may be necessary for the daily operation of ICON’s services including conducting customer, product and service surveys, direct marketing of products and services, handling customer complaints and enquiries, making disclosure under the requirements of any law applicable, any other directly related matters.
3. Human resources data such as curriculum vitae, contract information, residential address, date of birth, gender, government identification number, account information, qualifications and training records, debarment status, performance reviews, which is processed to support ICON’s human resources functions and activities including the administration of employee benefits, compensation, management of employee performance, business planning, disciplinary procedures including the investigation and reporting  of complaints and for compliance with legal obligations, policies and procedures.    
4. Prospective study participants, prospective investigators and users of ICON applications and websites who make enquiries regarding ICON services may be asked to provide personal information in order to provide the requested information, products or services. Personal information provided may be used for the processing of requested transactions, improving the quality of our services, sending communications about our products and services, enabling our business partners and service providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures.   

ICON may use the personal information it collects to comply with our legal obligations, policies and procedures and for internal administrative purposes

Personal information collected and/or processed may be disclosed to a particular study sponsor, third party service provider, business partner and/or where required, regulators. ICON may not need to furnish notice where processing is necessary to respond to a government inquiry, is required or authorized by applicable laws, court orders or government regulations, or is necessary to protect ICON's legal interests and providing notice would interfere with the above requirements.

Choice

ICON offers individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.

Please contact: 

Global Data Protection Officer
ICON plc, South County Business Park
Leopardstown
Dublin 18, Ireland

Data_Privacy_Officer@iconplc.com

For sensitive information, ICON will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  In addition, ICON will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

Accountability for onward transfer

Transfers of personal information to a third party acting as a controller are covered by the provisions of this Policy regarding Notice and Choice Principles.  ICON holds contracts with the third-party controllers that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify ICON if it makes a determination that it can no longer meet this obligation.  The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

When transferring personal information to a third party acting as an Agent, ICON: (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the ICON’s obligations under the Principles; (iv) requires the agent to notify ICON if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), ICON will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

ICON is potentially liable in cases of onward transfer to third parties of data of EU, UK or Swiss individuals received pursuant to the Data Privacy Framework. 

Security

ICON takes reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data integrity and purpose limitation

ICON uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. ICON takes reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current. ICON will only collect and store Personal Information that is relevant to fulfill the purpose and will retain such information no longer than appropriate to fulfill the purpose.

Access and correction

Upon request, ICON will grant individuals reasonable access to the personal information it holds about them. In addition, ICON will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been processed in violation of the Principles. 

Please contact:

Global Data Protection Officer
ICON plc, South County Business Park
Leopardstown
Dublin 18, Ireland

Data_Privacy_Officer@iconplc.com

Verification

ICON will use a self-assessment verification approach and conduct compliance audits of its applicable privacy practices to verify adherence to this policy. ICON's employees receive ongoing privacy awareness training on ICON's privacy principles and practices.

Recourse, enforcement and liability

Any complaints or concerns regarding the use or disclosure of personal information transferred from the EU or Switzerland and the United Kingdom to the US should in the first instance be directed to the ICON Global Data Protection Officer at the address given below. ICON will investigate and attempt to resolve complaints in accordance with the Data Privacy Framework Principles within 45 days of receiving a complaint.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ICON commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. ICON is committed to following the determination and advice of these authorities. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.

The Federal Trade Commission has jurisdiction over ICON’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Any employee that ICON determines is in violation of this policy will be subject to disciplinary action.

Limitation on scope of principles

Adherence by ICON to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.

Changes to this policy

This policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy, as stated. 

Contact information

Questions, complaints or comments related to this policy, data processing or data collection should be submitted to the ICON Global Data Protection Officer:

Attention: Global Data Protection Officer
ICON plc, South County Business Park
Leopardstown
Dublin 18, Ireland

Data_Privacy_Officer@iconplc.com