EU – U.S. and Swiss-US Privacy Shield Policy
Vanguard Genetics Corporation
ADL respects individual privacy and values the confidence of its customers, employees, consumers, business partners and others. Not only does ADL strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, it also has a tradition of upholding the highest ethical standards in its business practices. These EU-U.S. and Swiss-US Privacy Shield Policies (the “Policy”) sets forth the privacy principles that ADL follows with respect to transfers of personal information from the European Union (EU) and Switzerland to the United States.
The General Data Protection Regulation (GCPR) is a set of laws enacted in the EU in 2018. Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the EU to US. The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. Privacy Shield is designed to create an program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information in compliance with the GDPR requirements.
Compliance with EU-U.S. and Swiss-US Privacy Shield Principles
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the “EU-U.S. and Swiss-US Privacy Shield Framework”) to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection be given to personal information transferred from the EU or Switzerland to the United States.
ADL recognizes that the European Community has established a data protection regime which applies to the European Economic Area (“EEA”) and restricts companies in the EEA in transferring personal data about individuals in the EEA to the United States, unless there is “adequate protection” for such personal data when it is received in the United States. To create such “adequate protection,” ADL adheres to the EU-U.S. Privacy Shield Framework published by US Department of Commerce (“EU-U.S. Privacy Shield Principles”) with respect to personal data about individuals in the EEA that we receive from our customers and other business partners. ADL’s EU-U.S. Privacy Shield Certification also extends to data that we receive directly through ADL’s publicly accessible websites via secure form submission, such as www.AllianceDNA.com). More information on the EU-U.S. and/ or Swiss-Us Privacy Shield and ADL’s scope of participation in the EU-U.S. and Swiss-US Privacy Shield Frameworks is available at www.privacyshield.gov/.
Adherence to Privacy Shield Principles
Client Personal Data processed or stored by ADL may be subject to contractual agreements with our clients that require more stringent privacy and security safeguards than the requirements in the EU-U.S. or Swiss-US Privacy Shield. At a minimum, however, ADL handles Client Personal Data in accordance with our EU-U.S or Swiss-US. Privacy Shield Policy, which is based upon the seven principles identified in the EU-U.S. and Swiss-US Privacy Shield Frameworks.
This Notice addresses data subjects residing in the EU (“EU Persons”) whose data we may receive from one of our customers, suppliers or other business partners in the EU e.g., referral partners, integration partners, etc. When ADL receives Client Personal Data for processing pursuant to instructions of clients or their partners, we are acting as an agent for our client and do not provide notice to individuals regarding the collection and use of their personal data. Our clients remain responsible for providing notice, if and to the extent they believe such notice is necessary under applicable EU law.
Business Purposes for the Collection and Use of Personal Data
ADL sells laboratory services largely to small and enterprise businesses, as well as direct to the consumer. We receive mostly business-related information from the EU or Swiss, including contact information of individuals and representatives of businesses with whom we or our customers are dealing, including, without limitation, names, addresses, work phone numbers, work email addresses, etc. of EU Persons (“EU Data”) or Swiss individuals. In connection with some services, e.g., ADL’s Lead Management services, our customers use our hosted technology platform to store and process EU Data at their own discretion. ADL will not use Client Personal Data for any other purposes than for the purposes that ADL clients provide such information.
ADL collects and uses EU Data and/or Swiss for purposes of providing products and services to our customers, communicating with business partners about business matters, processing EU or Swiss Data on behalf of corporate customers, providing information on our/their services, and conducting related tasks for legitimate business purposes.
Accountability of Onward Transfer
ADL recognizes potential liability in cases of onward transfer to third parties. ADL will not transfer any personal information to a third-party without first ensuring that the third-party adheres to the Privacy Shield principles. ADL does not transfer Client Personal Data to unrelated third parties, unless lawfully directed by a client, or in certain limited or exceptional circumstances in accordance with the EU-U.S. or Swiss-US Privacy Shield Frameworks. For example, such circumstances would include disclosures of Client Personal Data required to meet national security or law enforcement requirements, or disclosures made in the vital interest of an identifiable person such as those involving life, health or safety.
In the event that ADL is requested to transfer Client Personal Data to an unrelated third party, ADL will ensure that such party is either subject to the EU-U.S or Swiss-US. Privacy Shield Agreement, subject to similar laws providing an adequate and equivalent level of privacy protection, or will enter into a written agreement with the third party requiring them to provide protections consistent with the EU-U.S. or Swiss-US Privacy Shield Frameworks and ADL’s EU-U.S. or Swiss-US Privacy Shield Policy. Should ADL learn that an unrelated third party to which Personal Data has been transferred by ADL is using or disclosing Personal Data in a manner contrary to this Policy, ADL will take reasonable steps to prevent or stop the use or disclosure.
Contact information and Client Personal Data is accessible only by those ADL employees and consultants who have a reasonable need to access such information in order for us to fulfill contractual, legal and professional obligations. All of our employees and consultants have entered into strict confidentiality agreements, and/or have been subjected to thorough criminal background checks requiring that they maintain the confidentiality of Client Personal Data.
You have the right of access to a copy of the information comprised in your personal data and may at any time request the destruction of all records associated with your casework by sending a notarized letter detailing the request for records destruction to:
Attn: General Counsel
3655 Research Road
Las Cruces, NM 88003
ADL assures compliance with this EU-U.S. Privacy Shield Policy and the Swiss-U.S. Privacy Shield Framework by utilizing the self-assessment approach as specified by the U.S. Department of Commerce. The assessment is conducted on an annual basis to ensure that all of ADL’s relevant privacy practices are being followed in conformance with this EU-U.S. Privacy Shield Policy and the Swiss-U.S. Privacy Shield Frameworks. Any employee that ADL determines is in violation of these policies will be subject to discipline, up to and including termination of employment and/or criminal prosecution.
ADL is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
With respect to marketing emails, EU Persons or Swiss individuals may opt-out of receiving further email communications from ADL or ADL clients by following opt-out instructions that are contained in the bottom of the email communication you received.
EU-U.S. and Swiss-US Privacy Shield Policy Updates
This EU-U.S. and Swiss-US Privacy Shield Policy may occasionally be updated. When material updates are made, the date of the last revision will be reflected at the end of the page. This page may be bookmarked to facilitate periodic review of this EU-U.S. or Swiss-US Privacy Shield Policy and to note recent updates. Neither this EU-U.S. and/or Swiss-US Privacy Shield Policy nor updates to it will affect or modify any contracts we have with our clients.
Access, Review & Update
If you are an EU Person or Swiss individual about whom we hold EEA or other personal or private Data on a client’s behalf, you may request access to, and the opportunity to update, correct or delete, such EEA or other personal or private Data. To submit such requests or raise any other questions, please contact the business that provided your EEA or other personal or private Data. You can also contact our EU-U.S. and/or Swiss-US Privacy Shield Contact. We reserve the right to take appropriate steps to authenticate an applicant’s identity, to charge an adequate fee before providing access and to deny requests, except as required by the EU-U.S. or Swiss Privacy Shield Frameworks.
EU-U.S. and Swiss-U.S. Privacy Shield Complaints
Attn: Chief Operating Officer
3655 Research Road
Las Cruces, NM 88003
ADL has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/for more information and to file a complaint. In addition, it is possible under certain conditions, for any individual to invoke binding arbitration as described in Annex I of the Privacy Shield Framework: https://www.privacyshield.gov/article?id=D-Binding-Nature-of-Decisions