CooperGenomics EU Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Our Privacy Obligations
We understand that your information is personal and we are committed to protecting your privacy. In addition, we are required by law to maintain the privacy of your personal data and to provide you with this Notice of our legal duties and privacy practices with respect to your personal data. When we use or disclose your personal data, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).
2. Who We Are
This Notice describes the privacy practices of CooperGenomics, the contact address for whom is 75 Corporate Drive, Trumbull, CT 06611 USA (“we” or “us”). We use your information as further explained in this Notice. We are the “controller” of your personal data covered by this Notice.
3. What is personal data?
Personal data is any information that relates to a living individual who can be identified directly or indirectly by the data.
Special categories of personal data consists of personal data including information relating to racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, physical or mental health or condition, sexual life.
4. What information do we need and why?
We produce genetic screenings and tests including CarrierMap, PGS, PGD and Serenity (“Services”). When one of these tests (“the Test”) is ordered by your physician (“the Clinic”) we will be provided with your information by the Clinic for the purposes set out below.
The Clinic will provide us with the following information:
- your name, date of birth and contact details to allow us to associate the results of the Test to the relevant individual and provide the results to the Clinic;
- information relating to your health (including any sample, for example a blood, saliva or embryo biopsy sample, taken by the Clinic and, if applicable, your medical history/health information relating to your pregnancy) to carry out the Test and provide the results to the Clinic. This information is “sensitive data” and we need your explicit consent to do this. Please see below for further details on the requirement of consent; and
- information necessary to process payment for the Services, if applicable.
We will process the information listed above in the United States in order to carry out the relevant Test and provide the results to and further consult with the Clinic.
To enable us to carry out the Tests we use a number of third parties, including laboratories and suppliers providing support services. To the extent that we share your information with such suppliers, these suppliers act as processors of your personal data. You can click https://www.coopergenomics.com/data-processors/ for a list of the processors we currently use. This information may be updated from time to time.
You should also review the information notice provided by the Clinic, as it should contain further information relating to the use of your personal data.
5. Your Consent to Processing Sensitive Data
Your consent will be obtained before the Test is carried out. You don’t have to provide your consent, but if you don’t we will not be able to carry out the Test. You have the right to withdraw your consent at any time by contacting the us at email@example.com. However, if you do so we will not be able to carry out the Test or provide the results to the Clinic. This won’t affect the lawfulness of any processing up to that point.
6. Further Uses of Your Information
In addition to the use of your information set out in Section 4, we extract certain pseudonymized information from the personal data provided by the Clinic for further purposes listed below. For the purposes of the extraction of information and any further uses we will be the “controller” of this information.
A. Health Care Operations. We may use and disclose your information for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use information to ensure the quality of our laboratory testing procedures. We may disclose information to our Quality and Regulatory Manager in order to resolve any complaints you may have and ensure that you our satisfied with our services.
Collecting information on your pregnancy after prenatal diagnosis is part of a laboratory’s standard practice for quality purposes and is required by laboratory accreditation bodies. As such, we may contact your healthcare provider to obtain this information, and you agree to your healthcare provider sharing such information with us for these purposes.
B. Disclosure to Relatives, Close Friends and Other Caregivers. We may use or disclose your information to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if: (1) we obtain your agreement or provide you with the opportunity to object to the disclosure and you do not object; or (2) we reasonably infer that you do not object to the disclosure.
If you are not present for or unavailable prior to a disclosure (e.g., when we receive a telephone call from a family member or other caregiver), we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we would disclose only information that is directly relevant to the person’s involvement with your care.
C. As Required by Law. We may use and disclose your information when required to do so by any applicable federal, state or local law.
D. Public Health Activities. We may disclose your information: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to a government authority authorized by law to receive such reports; (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.
E. Victims of Abuse, Neglect or Domestic Violence. We may disclose your information if we reasonably believe you are a victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence.
F. Health Oversight Activities. We may disclose your information to an agency that oversees the health care system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.
G. Judicial and Administrative Proceedings. We may disclose your information in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
H. Law Enforcement Officials. We may disclose your information to the police or other law enforcement officials as required by law or in compliance with a court order.
I. Descendants. We may disclose your information to a coroner or medical examiner as authorized by law.
J, Organ and Tissue Procurement. We may disclose your information to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.
K. Clinical Trials and Other Research Activities. We may use and disclose your information for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your information may be disclosed without your authorization to researchers preparing to conduct a research project, for research or decedents or as part of a data set that omits your name and other information that can directly identify you.
L. Health or Safety. We may use or disclose your information to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.
7. Uses and Disclosures Requiring Your Written Authorization
For any purpose other than the ones described above in Sections 4 and 6, we only use or disclose your information when you give us your written authorization. For example:
A. Marketing. We will obtain your written authorization prior to using your information for marketing purposes. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to you about treatments, therapies, health care providers, settings of care, case management, care coordination, products or services unless you have given us your authorization to do so.
We may market to you in a face-to-face encounter and give you promotional gifts of nominal value without obtaining your written authorization.
B. Sale of Information. We will not make any disclosure of information that is a sale of information without your written authorization.
C. Uses and Disclosures of Your Highly Confidential Information. Federal and state law requires special privacy protections for certain health information about you (“Highly Confidential Information”), including genetic testing results and other health information that is given special privacy protection under state or federal laws other than HIPAA. However, in order for us to disclose any Highly Confidential Information for a purpose other than those permitted by law, we must obtain your authorization.
D. Revocation of Your Authorization. You may revoke any authorization you have provided, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to our Data Protection Officer (whose details are included in the “Contact Us” section below).
8. Legal Basis for Processing
We are legally required only to process your personal data for certain permitted purposes, and can confirm that we only carry out processing where one of the below purposes is met:
A. where processing is necessary for medical diagnosis or the provision of health care or treatment, for example in carrying out the Test and processing the results;
B. to allow us to exercise our rights and obligations at law, for example in relation to disclosures to law enforcement or as otherwise required by law;
C. with your explicit consent, which is obtained prior to your information being provided by the Clinic; or
D. in relation to our processing of your Internet protocol address and other information when you use our website, for the purposes of our legitimate business interests in improving and developing our website for customer use.
9. Transfers of Personal Data
We may share your information with certain third parties as set out in further detail in Sections 4 and 6.
We are part of an international organisation and to ensure the provision of effective and efficient services, we may share your personal data with any member of the CooperGenomics group. In doing so we will at all times take measures to safeguard the security of your personal data.
Your personal data will be stored and processed by us in the United States. You should be aware that the United States has different data protection laws to the European Union. We will transfer your information to the European Economic Area (“EEA”) when we use processors within the EEA for the purposes of carrying out the Test (as set out in Section 4) and when we provide the result of the Test to the Clinic.
10. Data Retention
We will not keep your information for longer than is reasonably necessary for the purpose for which we are using it. What this means in practice will vary between different types of data, and when we consider our approach, we take into account any continued need to process the data, and also our legal obligations relating to health and safety and potential or actual disputes or investigations relating to those matters.
Sometimes we de-identify your information so it can’t be attributed to you individually and use this data for clinical trials and other medical research purposes. Otherwise, we securely erase your information once it is no longer needed.
If you would like to find out how long we keep your Personal Data for a particular purpose, you can contact us at: firstname.lastname@example.org. For more information on how long cookies are stored, please refer to our https://www.coopersurgical.com/cookie-policy.
11. Your Individual Rights
You have the following rights in relation to your personal data:
|Rights||What does this mean?|
|1. The right to be informed||You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Notice.|
|2. The right of access||You have the right to obtain access to your information (if we’re processing it), and other certain other information (similar to that provided in this Notice).
This is so you’re aware and can check that we’re using your information in accordance with data protection law.
|3. The right to rectification||You are entitled to have your information corrected if it’s inaccurate or incomplete.|
|4. The right to erasure||This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.|
|5. The right to restrict processing||You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further.
This right to restrict our processing applies if:
|6. The right to data portability||You have rights to obtain and reuse your personal data for your own purposes across different services.|
|7. The right to object to processing||You have the right to object to certain types of processing, on grounds relating to your particular situation, including processing for direct marketing, (which we do only with your consent). We will be allowed to continue to process your personal data if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or we need this for the establishment, exercise or defence of legal claims.|
|8. The right to lodge a complaint||You have the right to lodge a complaint about the way we handle or process your personal data with the Information Commissioner’s Office (ICO).|
|9. The right to withdraw consent||If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). Please see the “Consent” section above for further details.|
12. Effective Date and Duration of This Notice
A. Effective Date. This Notice is effective on May 25, 2018.
B. Right to Change Terms of this Notice. We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all your Information that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will provide the new notice to all Clinics and will post the latest version on our website at https://www.coopergenomics.com/gdpr-privacy-practices/. You may also request a copy of any new notice by using the contact details below.
13. Contact Us
If you need to contact us for any reason (including with any questions in relation to this Notice or to exercise any of your rights as set out above) please contact our Data Protection Officer at email@example.com.
Before assessing your request, we may request additional information in order to identify you. If you do not provide the requested information and, as a result, we are not in a position to identify you, we may refuse to action your request.
We will generally respond to your request within one month of receiving your request. We can extend this period by an additional two months if this is necessary taking into account the complexity and number of requests that you have submitted.
If you’re not satisfied with our response to your complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (ICO).