Global Data Privacy and Security Statement | Genomic Health, Inc.
This Policy was updated on 19 September 2016
Genomic Health, Inc. (“GHI”, “we”, “us”) carefully protects the confidentiality of Personal Data (defined below) provided to us by patients, employees, healthcare professionals and business partners. We value the trust placed in us by patients, our employees, healthcare professionals and business partners (“you”). We will not release Personal Data about you to third parties for purposes other than to provide services to which you have agreed, or to comply with applicable legal requirements. We are committed to upholding best practices in our use, collection, storage and disclosure of personal information.
The US Department of Commerce has agreed on requirements that permit U.S. companies to satisfy the mandate under European law and Swiss law that adequate protection is provided to Personal Data transferred from the European Union, European Economic Area, or Switzerland to the U.S. For EU citizens’ personal data, these requirements are memorialised in the EU-US Privacy Shield Framework. For Swiss citizens’ Personal Data, these requirements are memorialised in the US-Swiss Safe Harbour Framework.
2. Compliance With Privacy Shield And U.S.-Swiss Safe Harbour Framework; Federal Trade Commission Jurisdiction
We comply with the E.U.-U.S Privacy Shield Framework Principles, including the Supplemental Principles and the U.S.-Swiss Safe Harbour Framework as set forth by the U.S. Department of Commerce (collectively, the “Principles”). GHI has certified that it adheres to the Principles. To learn more about the Principles and to view GHI’s certification, please visit: https://www.privacyshield.gov/list. The Federal Trade Commission has jurisdiction over GHI’s compliance with this Policy, the EU-US Privacy Shield Framework and the US-Swiss Safe Harbour Framework.
This Policy applies to all Personal Data received by us in the United States of America from the European Union member countries and Switzerland, in any form including electronic.
For purposes of this Policy, the following definitions shall apply:
"Agent" means any third party that collects or uses personal information under our instructions or to which we disclose personal information for use on our behalf. These third parties are most commonly: employee payroll, employee benefits, distribution, service, and billing partners.
"GHI” means GHI, and our successors, affiliates, subsidiaries, divisions and groups in the United States of America, EEA, and Switzerland. GHI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
"Personal Data" or “Personal Information” means any information or set of information that identifies or is used by or on behalf of us to identify an individual in the context of providing our services. Personal data does not include information that is encoded or anonymised.
"Sensitive Personal Information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, criminal convictions or indictments, trade union membership, or that concerns health or sex life, and any other categories of information identified as sensitive personal information by the applicable local laws. We will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.
5. EU-US Privacy Shield Principles
The privacy principles in this Policy are based on the Privacy Shield Principles.
Notice: Where we collect Personal Data directly from individuals (such as employees or customers) in the EU, we will inform them about:
- our participation in the Privacy Shield and the web address for the Privacy Shield list;
- the types of Personal Data collected and the purposes for which we collect and use that information;
- our commitment to apply the Privacy Shield Principles to all Personal Data received from the EU under the Privacy Shield;
- how to contact us with any inquiries or complaints;
- the type of Agents to which we disclose Personal Data, and for what purposes;
- their right to access their own personal data;
- the independent dispute resolution body (the ICDR/AAA (American Arbitration Association), an alternative dispute resolution provider based in the United States) we have designated to address complaints, free of charge to a complainant;
- our being subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission;
- the possibility, in some circumstances, that the individual may invoke binding arbitration;
- the requirement that we disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
- our liability in cases of onward transfers to third parties.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to us, or as soon as possible thereafter, and in any event before we use or disclose the information for a purpose other than the original purpose for which it was collected.
Where we receive Personal Data from our subsidiaries, affiliates or other entities in the EU, we will use and disclose such information in accordance with the notices provided by such entities and the choices made by individuals regarding their Personal Data.
Choice: We do not use Personal Data for purposes other than for those for which it was collected. We do not share such information with non-Agent third parties, unless required by law.
Accountability for Onward Transfer (transfers to Agents): We only transfer Personal Data to Agents for limited and specified purposes, consistent with any notice provided to you and consent given. We transfer Personal Data to Agents only if the Agent agrees to provide the same level of privacy protection as is required by this Policy and Privacy Shield Principles. We require Agents to notify us if they determine that they can no longer provide the protections required by the Privacy Shield Principles. Where we know an agent is using or disclosing Personal Data in a manner contrary to the Privacy Shield Principles, we will take all reasonable steps to stop and remediate unauthorised processing of Personal Data.
Security: We take all reasonable precautions to protect Personal Data in our possession from loss, misuse and unauthorised access. In addition, we will take all reasonable steps to prevent unauthorised disclosure, alteration and destruction of Personal Data.
Data Integrity and Purpose Limitation: We will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorised by the individual. We will take all reasonable steps to ensure that Personal Data we process is limited to only what is relevant to the purposes for which it was collected and that it is accurate, complete, and up-to-date.
Access: Upon request, we will grant individuals reasonable access to Personal Data that we hold about them, which consists mainly of information received from our customers. In addition, we will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate, incomplete, or has been processed in violation of Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual requesting the data would be violated). We are unable to correct anything other than factual errors in any report we produce for our customers because the report is based on information provided by such customers. However, we will take all reasonable steps to facilitate amendments to information provided by our customers if an individual raises a query.
Recourse, Enforcement and Liability: We will conduct compliance audits of our relevant privacy practices, for example our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
Please direct any questions or concerns regarding the use or disclosure of Personal Data to the GHI data protection officer at the address below. At no cost to you, we will investigate and attempt to resolve complaints and disputes regarding use and disclosure of your Personal Data in accordance with the principles contained in this Policy. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://info.adr.org/safeharbor for more information on how to file a complaint. For complaints that cannot be resolved between us and a complainant, we have selected an independent recourse mechanism, the ICDR/AAA (American Arbitration Association, an alternative dispute resolution provider based in the United States to resolve disputes pursuant to the Privacy Shield Principles. The services of ICDR/AAA are provided at no cost to you. The same chain of complaint resolution is available for possible unfair or deceptive practice and violations of laws or regulations governing privacy. In certain limited circumstances, individuals have the right to invoke binding arbitration by delivering notice to GHI at the contact address below. For more information about binding arbitration under the Privacy Shield, please read “ANNEX I” on page 12 of the document found here: http://ec.europa.eu/justice/data-protection/files/factsheets/annexes_eu-us_privacy_shield_en.pdf.
6. U.S.-Swiss Safe Harbour Privacy Principles
We continue to comply with the US-Swiss Safe Harbour Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Data from Switzerland. We adhere to the seven Safe Harbour Privacy Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. If there is any conflict between the policies in this Policy and the Safe Harbour Privacy Principles, the Safe Harbour Privacy Principles shall govern. To learn more about the US-Swiss Safe Harbour program, please visit http://www.export.gov/safeharbor, and to view CDS’ certification page, please visit https://safeharbor.export.gov/list.aspx.
7. Limitation on Application Of Principles
Adherence by us to these Privacy Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.
8. Internet Privacy
We regard the Internet and the use of other technologies as valuable tools for communicating and interacting with our patients, employees, healthcare professionals, business partners, and others. We understand the importance of maintaining the confidentiality of information collected and/or stored online, and we have systems in place that protect data collected and/or stored online or via an electronic database. Personal Data that is transferred from the EEA or Switzerland to the United States of America will be treated in accordance with this Policy.
9. Inquiries and Complaints
Inquiries, comments or complaints should be submitted to the GHI data protection officer by mail as follows:
GENOMIC HEALTH, INC.
ATTN: Data Protection Officer
301 Penobscot Drive
Redwood City, California 94063
We may amend this Policy from time to time by posting a revised Policy at http://www.genomichealth.com/privacy. We will only amend this Policy in a manner consistent with the requirements of the EU-US Privacy Shield, the US-Swiss Safe Harbour and other applicable law.