Safe Harbor Standards
This Safe Harbor Privacy Statement (the “Statement”) sets forth the privacy principles followed by GeneDx in connection with the transfer and protection of “personal information” received from the European Union (EU) or Switzerland.
GeneDx complies with the U.S.-EU Safe Harbor Framework and the U.S.-Switzerland Safe Harbor Framework administered by the U.S. Department of Commerce and self-certifies, on an annual basis, its adherence to the Safe Harbor Privacy Principles. For more information about the Safe Harbor Privacy Principles, please visit the U.S. Department of Commerce’s website at http://www.export.gov/safeharbor/.
“Personal Information” means information that can directly or indirectly lead to the identification of a living person, such as an individual’s name, address, e-mail, telephone number, license number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity. Personal information does not include information that has been anonym zed, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.
This Statement governs personal information transferred from countries in the EU or Switzerland (which has adopted substantially similar privacy laws to those of the EU), to the United States on behalf of GeneDx. It applies to personal information in electronic and off-line formats.
All employees of GeneDX that have access to such EU Personal Data in the U.S. are responsible for conducting themselves in accordance with this Policy. Adherence by GeneDX to this Policy may be limited to the extent required to meet legal, governmental, or national security obligations, but EU Personal Data will not be collected, used, or disclosed in a manner contrary to this Policy.
GeneDX employees responsible for engaging third parties (., temporary staff, independent contractors, sub-contractors, business partners, or vendors) to handle EEA Personal Data covered by this Policy on behalf of GeneDX are responsible for obtaining appropriate assurance that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Policy. Failure of a GeneDX employee to comply with this Policy may result in disciplinary action up to and including termination.
Safe Harbor Privacy Principles
The following privacy principles apply to the transfer, collection, use or disclosure of personal information from the EU or Switzerland by GeneDx.
GeneDx informs individuals in the EU and Switzerland about the purposes for which it collects and uses their personal information, how to contact GeneDx, the types of third parties with which GeneDx shares their personal information, and the choice and means GeneDx offers for limiting the use and disclosure of their personal information.
Consistent with the Safe Harbor requirements, GeneDx may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of EU or Swiss personal information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect GeneDx’ legal interests and providing notice would interfere with those interests.
GeneDx will not process personal information about EU or Swiss individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the EU or Swiss individual unless the individual affirmatively and explicitly consents (“opt-in”) to the processing, or unless an exception applies.
GeneDx also provides EU or Swiss individuals with the opportunity to withdraw consent at any time (“opt-out”), in which case their personal information will not be further processed. There are certain limitations on the right to opt-out, such as those that apply in the clinical research situation. In that situation, GeneDx can continue to rely upon personal information already provided by clinical research participants who choose to discontinue
participation in a clinical trial, to the extent needed to protect the integrity of the study, but cannot collect any additional personal information about that individual once the written request to withdraw participation is received.
GeneDX uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. GeneDX takes reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Onward Transfer (Transfers to Third Parties):
In the event GeneDX transfers EEA Personal Data covered by this Policy to a third party, it will do so consistent with any notice provided to Data Subjects and any consent they have given. GeneDX will transfer such Personal Data only to third parties that (a) are located in a jurisdiction subject to the EU Data Protection Directive or with privacy laws considered to be adequate by the European Commission; (b) subscribe to the Safe Harbor Privacy Principles; or (c) have given us contractual assurances that they will provide at least the same level of privacy protection as is required by this Policy and the Safe Harbor Privacy Principles. When GeneDX has knowledge that a third party is using or sharing Personal Data in a way that is contrary to this Policy, GeneDX will take reasonable steps to prevent or stop such use or sharing.
Access and Correction:
Upon written request to GeneDx, GeneDx will provide EU or Swiss individuals with reasonable access to their personal information. GeneDx will also take reasonable steps to allow EU or Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction rights, as set forth in the US Department of Commerce’s Safe Harbor website, http://www.export.gov/safeharbor/
GeneDx takes reasonable precautions to protect EU or Swiss personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.
To ensure compliance with these Safe Harbor Privacy Principles, GeneDx will:
- Cooperate with the Data Protection Authorities (“DPAs”) and other governmental agencies with authority over such matters in the respective EU member states, where it has operations, and with the Swiss Federal Data Protection and Information Commissioner (“Commissioner”) for operations in Switzerland, in the investigation and resolution of complaints that cannot be resolved between GeneDX and the complainant, and comply with advice given by such DPAs and the Commissioner;
- Periodically review and verify its compliance with the Safe Harbor Privacy Principles; and
- Remedy issues arising out of any failure to comply with the Safe Harbor Privacy Principles.
GeneDx acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Safe Harbor participants, and thereafter transfers of Personal Data will not be allowed unless GeneDx otherwise complies with the EU Data Protection Directive or other relevant applicable laws.
GeneDX sees the internet and the use of other technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners, and others. GeneDX recognizes the importance of maintaining the privacy of information collected and/or stored online and has systems in place that protect data collected and/or stored online or via an electronic database. Personal information that is transferred from the EEA or Switzerland to the United States of America will be treated in accordance with this policy.
Limitation on Scope of Principles:
Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.
Contact Information: Questions or comments about this Statement should be directed to:
Sandra Cole, CHC, CPC
475 Edward H. Ross Drive
Elmwood Park, NJ, USA 07047
EFFECTIVE DATE: 18 December 2014