XDx complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union (EU) member countries and Switzerland. XDx has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://www.export.gov/safeharbor/.
This Policy applies to all personal information received by XDX in the United States of America from the EEA and Switzerland, in any form including electronic, paper or verbal.
For purposes of this Policy, the following definitions shall apply:
"Agent" means any third party that collects or uses personal information under the instructions of XDx or to which XDx discloses personal information for use on XDx’s behalf. These third parties are most commonly distribution and billing partners.
"XDx" means XDx, Inc. its successors and affiliates in the United States of America, EU and Switzerland.
“Personal Data" and "Personal Information" are data about an identified or identifiable individual that are within the scope of the Directive on Data Protection (the “Directive”), received by a U.S. organization from the European Union, and recorded in any form. "Personal information" means any information or set of information that is received by or is used by or on behalf of XDx to identify an individual in the context of providing XDx’s services. Such information may include an individual’s name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier. Personal information does not include information that is de-identified.
"Sensitive Personal Information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health status. XDx does not collect information that reveals political opinions, religious or philosophical beliefs, or trade union membership, but does collect information that reveals race or ethnic origin, and health status. XDx will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.
4. Privacy Principles
The privacy principles in this Policy are based on the Safe Harbor Principles.
Notice: XDx generally does not collect personal information directly from individuals; however, if XDx does collect personal information directly from individuals in the EEA or Switzerland, it will inform them about the purposes for which it collects and uses such personal information and the types of non-Agent third parties to which it discloses such information, how to contact the organization with any inquiries or complaints, and the choices and means the organization offers individuals for limiting its use and disclosure. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to XDx, or as soon as practicable thereafter, and in any event before XDx uses or discloses the information for a purpose other than that for which it was originally collected.
Where XDx receives personal information from its affiliates or other entities in the EEA or Switzerland, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by individuals in respect of their personal information.
Choice: XDx does not use personal information for purposes other than those for which it was collected, i.e., the provision of XDx’s services. Such information is not disclosed to non-agent third parties.
Onward Transfer (Transfers To Third-Parties): XDx will only transfer personal information about EU individuals to third parties where the third-party:
- Has provided satisfactory assurances to XDx that it will protect the information consistently with this Statement; or
- Is located in the EU or a country considered “adequate” for privacy by the EU Commission, and therefore is required to comply with the EU data protection laws or substantially equivalent privacy laws; or
- The third-party has also certified to the Safe Harbor, and is accordingly independently responsible for complying wit the Safe Harbor requirements.
Security: XDx will take all reasonable precautions to protect personal information that it creates, maintains, uses and disseminates. In addition, XDx will take all reasonable steps to prevent unauthorized access and disclosure, loss, alteration or destruction
Data Integrity: XDx will use personal information only in ways that are compatible with and relevant for the purposes for which it was collected or subsequently authorized by the individual. To the extent necessary for those purposes, XDx will take all reasonable steps to ensure that personal information is relevant to its intended use and is accurate, complete, and up-to-date.
Access and Correction: Upon written request to XDx, XDx will provide EU individuals with reasonable access to their personal information. XDx will also take reasonable steps to allow EU individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction rights, as set forth in the US Department of Commerce’s Safe Harbor website (http://www.export.gov/safeharbor/)
Enforcement: XDx will conduct compliance audits of its relevant privacy practices, for example its information systems and data processing installations, to verify adherence to this Policy. Any employee that XDx determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
Dispute Resolution: Any questions or concerns regarding the use or disclosure of personal information should be directed to the XDx Privacy Officer at the address given below. XDx will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between XDx and the complainant, XDx has agreed to participate in the dispute resolution procedures established by the European data protection authorities and the Swiss Federal Data Protection and Information Commissioner to resolve disputes pursuant to the Safe Harbor Principles.
Limitation On Application Of Principles
Adherence by XDx to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.
5. Contact Information
Questions or comments regarding this Policy should be submitted to the XDx Privacy Officer by mail as follows:
ATTN: Privacy Officer
3260 Bayshore Blvd.
Brisbane, California 94005
For complaints regarding our handling of personal and sensitive information, contact the XDx Privacy Officer at the address above, or our Customer Service team at firstname.lastname@example.org or +1- 415-287-2401.
EFFECTIVE DATE: 28 Feb 2013