This Policy was updated on 15 May 2018
Genomic Health, Inc. (“GHI”, “we”, “us”) carefully protects the confidentiality of Personal Data (defined below) provided to us by patients, employees, healthcare professionals and business partners. We value the trust placed in us by patients, our employees, healthcare professionals and business partners (“you”). We will not release Personal Data about you to third parties for purposes other than to provide services to which you have agreed, or to comply with applicable legal requirements. We are committed to upholding best practices in our use, collection, storage and disclosure of personal information.
The US Department of Commerce has agreed on requirements that permit U.S. companies to satisfy the mandate under European law and Swiss law that adequate protection is provided to Personal Data transferred from the European Union, European Economic Area, or Switzerland to the U.S. For EU citizens’ personal data, these requirements are memorialized in the EU-US Privacy Shield Framework. For Swiss citizens’ Personal Data, these requirements are memorialized in the Swiss-U.S. Privacy Shield Framework.
2. Compliance With Privacy Shield And Swiss-U.S. Privacy Shield Framework; Federal Trade Commission Jurisdiction
We comply with the E.U.-U.S Privacy Shield Framework Principles, including the Supplemental Principles and the Swiss-U.S. Privacy Shield Frameworkas set forth by the U.S. Department of Commerce (collectively, the “Principles”). GHI has certified that it adheres to the Principles. To learn more about the Principles and to view GHI’s certification, please visit: https://www.privacyshield.gov. The Federal Trade Commission has jurisdiction over GHI’s compliance with this Policy, the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
This Policy applies to all Personal Data received by us in the United States of America from the European Union member countries and Switzerland, in any form including electronic.
For purposes of this Policy, the following definitions shall apply:
"Agent" means any third party that collects or uses personal information under our instructions or to which we disclose personal information for use on our behalf. These third parties are most commonly: employee payroll, employee benefits, distribution, service, and billing partners.
"GHI” means GHI, and our successors, affiliates, subsidiaries, divisions and groups in the United States of America, EEA, and Switzerland. GHI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
"Personal Data" or “Personal Information” means any information or set of information that identifies or is used by or on behalf of us to identify an individual in the context of providing our services. Personal data does not include information that is encoded or anonymised.
"Sensitive Personal Information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, criminal convictions or indictments, trade union membership, or that concerns health or sex life, and any other categories of information identified as sensitive personal information by the applicable local laws. We will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.
5. Privacy Shield Principles
The privacy principles in this Policy are based on the Privacy Shield Principles.
Notice: Where we collect Personal Data directly from individuals (such as employees or customers) in the EU and Switzerland, we will inform them about:
- our participation in the Privacy Shield and the web address for the Privacy Shield list;
- the types of Personal Data collected and the purposes for which we collect and use that information;
- our commitment to apply the Privacy Shield Principles to all Personal Data received from the EU and Switzerland under the Privacy Shield;
- how to contact us with any inquiries or complaints;
- the type of Agents to which we disclose Personal Data, and for what purposes;
- their right to access their own personal data;
- the independent dispute resolution body (the ICDR/AAA (American Arbitration Association), an alternative dispute resolution provider based in the United States) we have designated to address complaints, free of charge to a complainant;
- our being subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission;
- the possibility, in some circumstances, that the individual may invoke binding arbitration;
- the requirement that we disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
- our liability in cases of onward transfers to third parties.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to us, or as soon as possible thereafter, and in any event before we use or disclose the information for a purpose other than the original purpose for which it was collected.
Where we receive Personal Data from our subsidiaries, affiliates or other entities in the EU or Switzerland, we will use and disclose such information in accordance with the notices provided by such entities and the choices made by individuals regarding their Personal Data.
Choice: We do not use Personal Data for purposes other than for those for which it was collected. We do not share such information with non-Agent third parties, unless required by law.
Accountability for Onward Transfer (transfers to Agents): We only transfer Personal Data to Agents for limited and specified purposes, consistent with any notice provided to you and consent given. We transfer Personal Data to Agents only if the Agent agrees to provide the same level of privacy protection as is required by this Policy and Privacy Shield Principles. We require Agents to notify us if they determine that they can no longer provide the protections required by the Privacy Shield Principles. Where we know an agent is using or disclosing Personal Data in a manner contrary to the Privacy Shield Principles, we will take all reasonable steps to stop and remediate unauthorized processing of Personal Data. In cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, GHI is potentially liable.
Security: We take all reasonable precautions to protect Personal Data in our possession from loss, misuse and unauthorised access. In addition, we will take all reasonable steps to prevent unauthorised disclosure, alteration and destruction of Personal Data.
Data Integrity and Purpose Limitation: We will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorised by the individual. We will take all reasonable steps to ensure that Personal Data we process is limited to only what is relevant to the purposes for which it was collected and that it is accurate, complete, and up-to-date.
Access: Upon request, we will grant individuals reasonable access to Personal Data that we hold about them, which consists mainly of information received from our customers. In addition, we will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate, incomplete, or has been processed in violation of Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual requesting the data would be violated). We are unable to correct anything other than factual errors in any report we produce for our customers because the report is based on information provided by such customers.
However, we will take all reasonable steps to facilitate amendments to information provided by our customers if an individual raises a query.
Recourse, Enforcement and Liability: We will conduct compliance audits of our relevant privacy practices, for example our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
Please direct any questions or concerns regarding the use or disclosure of Personal Data to the GHI data protection officer at the address below. At no cost to you, we will investigate and attempt to resolve complaints and disputes regarding use and disclosure of your Personal Data in accordance with the principles contained in this Policy. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://go.adr.org/privacyshield.html for more information on how to file a complaint. For complaints that cannot be resolved between us and a complainant, we have selected an independent recourse mechanism, the ICDR/AAA (American Arbitration Association, an alternative dispute resolution provider based in the United States to resolve disputes pursuant to the Privacy Shield Principles. The services of ICDR/AAA are provided at no cost to you. The same chain of complaint resolution is available for possible unfair or deceptive practice and violations of laws or regulations governing privacy. In certain limited circumstances, individuals have the right to invoke binding arbitration by delivering notice to GHI at the contact address below. For more information about binding arbitration under the Privacy Shield, please visit http://go.adr.org/privacyshield.html.
6. Swiss-U.S. Privacy Shield Framework Principles
We comply with the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Data from Switzerland. We adhere to the seven Swiss-U.S. Privacy Shield Framework Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. If there is any conflict between the policies in this Policy and the Swiss-U.S. Privacy Shield Framework Principles, the Swiss-U.S. Privacy Shield Framework Principles shall govern. To learn more about the Swiss-U.S. Privacy Shield Framework program, please visit https://www.privacyshield.gov, and to view CDS’ certification page, please visit https://www.privacyshield.gov
7. Limitation On Application Of Principles
Adherence by us to these Privacy Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.
8. Internet Privacy
We regard the Internet and the use of other technologies as valuable tools for communicating and interacting with our patients, employees, healthcare professionals, business partners, and others. We understand the importance of maintaining the confidentiality of information collected and/or stored online, and we have systems in place that protect data collected and/or stored online or via an electronic database. Personal Data that is transferred from the EEA or Switzerland to the United States of America will be treated in accordance with this Policy.
9. Telephone Contact with Genomic Health
When you call Genomic Health Customer Service in Europe, that call and the number you are calling from (if displayed) is recorded on GHI’s telephone system for quality assurance. This call is stored on a server located in Europe. The call and the phone number will be permanently purged from GHI’s automated calling system within 2 years, one month and one day from when the call was recorded, unless Genomic Health is legally required to keep the recording longer.
You may opt out of having your call recorded by asking the customer service agent during your call, and you may call Genomic Health customer service at any time to have a voice recording deleted.
If you choose to leave a voicemail on Genomic Health’s telephone system, that voicemail will potentially be stored temporarily in the Genomic Health’s United States server. The voicemail will generally be deleted as soon as a customer service agent has listened to the message and taken action based on it, but a backup may be retained for one week.
10. Inquiries And Complaints
Inquiries, comments or complaints should be submitted to the GHI data protection officer by mail as follows:
GENOMIC HEALTH, INC.
ATTN: Data Protection Officer
301 Penobscot Drive
Redwood City, California 94063
We may amend this Policy from time to time by posting a revised Policy at http://www.genomichealth.com/privacy. We will only amend this Policy in a manner consistent with the requirements of the EU-US Privacy Shield, the Swiss-U.S. Privacy Shield Framework, and other applicable law.