Last update 21 June 2021
This policy is divided into the following sections
D: Data Protection Principles
E: Uses of Personal Data
F: Purposes of Processing Personal Data
G: Legal Bases for Processing Personal Data
H: Data Subject Rights
J: Data Transfers Outside the EEA
K: Disclosing Personal Data to Third Parties
L: Links and Third-Party Applications
M: Data Retention
N: Data protection queries and complaints
O: Definitions / Abbreviations
Genuity Science collects, uses, Processes and stores Personal Data about healthcare providers, Data Subjects or research study participants, collaborators, customers, suppliers, clients and other individuals who come into contact with us. We handle Personal Data with due care and in accordance with applicable Data Protection Laws.
We take our data protection responsibilities seriously. We understand that Personal Data must be Processed in accordance with Data Protection Laws. In this regard our employees, consultants and other individuals who handle Personal Data on our behalf, are expected to comply with this Policy and applicable Data Protection Laws.
All Genuity Science staff are responsible for complying with this Policy.
In relation to data protection compliance the DPO’s responsibilities include, but are not limited to:
When Processing Personal Data, we comply with the following data protection principles:
Genuity Science processes the following personal data:
Genuity Science’s Website:
Genuity Science’s Research Studies:
Suppliers, Collaborators and Customers:
Genuity Science only uses Personal Data for the purpose(s) for which the Personal Data has been obtained.
The Processing purposes are clearly specified and, the Data Subject(s) will be informed about these purposes, at the time of Personal Data collection or as soon as reasonably possible thereafter, and to the extent reasonably possible.
Some examples of the reasons for which Genuity Science Processes Personal Data include, without limitation:
Genuity Science only Processes Personal Data if one or more of the legitimate grounds set out below, which allow for compliant Processing of such Personal Data, apply:
Personal Data can be processed if the Data Subject has given his or her consent (preferably in writing or via e-mail, or via the website personal cookie settings page). The consent relates to the specific purpose for which the Personal Data is required.
Genuity Science ensures that Data Subjects are adequately informed about the Processing purposes before consent is requested. If there are multiple Processing purposes, separate consents may be required for each Processing type. The consent(s) provided are held on file as evidence of the consent(s) given.
Data Subjects may withdraw their consent to these types of Processing activities at any time (Please also see legitimate interests below) either directly for website usage via the personal cookie settings page, or by contacting our Data Protection Officer (contact details outlined below).
This applies, for example, in relation to Processing of Personal Data necessary for the purposes of:
Examples of our or a third party’s legitimate interest for Processing include, without limitation, carrying out regular business activities including:
Such Processing may include, for example, the disclosure of Personal Data if demanded by the judiciary or a tax authority. Such Processing may also include Processing of Personal Data for anti-money laundering purposes.
Data Subjects have certain rights under applicable Data Protection Laws, as explained below. The procedures below explain how Data Subjects’ rights are given effect, upon receipt by our Data Protection Officer of a written request or objection relating to the processing of their Personal Data by us when we are acting as a Data Controller:
Every Data Subject is entitled to apply to us requesting a summary and a copy of his/her Personal Data processed by us or on our behalf.
If Personal Data processed by us is believed to be inaccurate or incomplete, the Data Subject is entitled to request that Genuity Science take measures to have such Personal Data corrected, added to, protected or deleted.
Every Data Subject is entitled to object to the Processing of his/her Personal Data based on the legitimate interests of the Data Controller.
Every Data Subject can request that Genuity Science provides his/her Personal Data in a structured and electronic form to the Data Subject or, if technically consistent with our information technology systems, to transfer the Personal Data in an electronic form directly to a third party identified (in writing) by the Data Subject.
The Data Subject can request that Genuity Science restricts the Processing of his/her Personal Data where the accuracy of the Personal Data is contested, the Processing by us is unlawful, or Genuity Science no longer needs the Personal Data.
The Data Subject has a right to object to any automated decision making, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him/her.
Whilst Profiling is a key component to facilitate Genuity Science’s research studies, Genuity Science does not engage in automated decision-making based on such Profiling activities.
Security of Personal Data
Data Breach / Security Breach
In the event of a Data Breach, Genuity Science will comply with applicable Data Protection Laws governing the reporting of such breaches and manage the Data Breach in accordance with our Security Incident Response policy.
Our Security Incident Response policy are followed as soon as it is identified that a possible Data Breach has occurred.
Research study Participants’ Data:
Genuity Science collates pseudonymized Personal Data collected from volunteer research participants for scientific research studies, in collaboration with its academic and/or commercial partners, in a database.
The database that contains participants’ pseudonymized Personal Data (including health, lifestyle and genomic data) is stored in the EU/EEA and all decisions about the Processing of EU/EEA research participants’ Personal Data are made in Ireland.
Access to EU/EEA citizens’ pseudonymized Personal Data may need to be provided to individuals or entities located outside the EU/EEA, either internally within the Genuity Science organization, or externally to third party academic and/or commercial researchers on a strictly controlled and monitored basis. This restricted access is deemed to be a data transfer for the purposes of Data Protection Laws. Any such data transfer occurs in accordance with applicable Data Protection Laws, utilizing an appropriate EU/EEA approved data transfer mechanism, such as Standard Contractual Clauses.
Genuity Science takes all reasonable and proportionate steps to ensure that this pseudonymized Personal Data is treated securely and in accordance with this Policy at all times.
Genuity Science may receive Personal Data, such as contact information, from an individual through use of Genuity Science’s online contact forms or other communication channels. Genuity Science transfers this Personal Data across its office and laboratory locations and has appropriate, EU Commission approved data transfer mechanisms in place to ensure the compliant transfer of such Personal Data.
In the course of providing services to customers and other parties, Genuity Science may receive Personal Data of EU/EEA citizens in its role as a Data Processor of such Personal Data. Genuity Science will only transfer such Personal Data outside of the EU/EEA on the explicit direction of the customer in its capacity as a Data Controller and subject to the implementation of the appropriate EU Commission approved data transfer mechanisms, such as Standard Contractual Clauses.
From time-to-time, Genuity Science may disclose Personal Data to third parties or allow third parties to access Personal Data processed by us in accordance with Data Protection Laws.
Categories of third parties with whom Genuity Science may share Personal Data include commercial partners and academic institutions for the purpose of scientific research.
Where we share such Personal Data with third parties in our capacity as a Data Controller, notwithstanding the Processing of the Personal Data by the third party, Genuity Science remains a Controller of the Personal Data.
Where we share such Personal Data with third parties in our capacity as a Data Processor, Genuity Science does so at the direction of the Data Controller only and notwithstanding the sub-processing of the Personal Data by the third party, Genuity Science remains a Processor of the Personal Data and responsible for such third-party sub-processing activities.
Genuity Science keeps Personal Data of Data Subjects only as long as the Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which that Personal Data has been collected).
Genuity Science periodically reviews the necessity to retain all the Personal Data it collects and processes in its research studies to access if there is a clear necessity for ongoing retention for the purposes for which the data was collected.
To determine the appropriate retention period for Personal Data, Genuity Science considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of such Personal Data, the purposes for which Genuity Science processes Personal Data and whether Genuity Science can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Any data that is no longer being used will be securely deleted.
Genuity Science is committed to protecting Personal Data and Processing Personal Data in compliance with Data Protection Laws. If Data Subjects wish, they can raise a query or make a complaint about compliance with this Policy, Data Protection Laws and/or regulations by sending their complaint or query to our Data Protection Officer. The Data Protection Officer is responsible for handling complaints arising from, or made in accordance with, this Policy.
Should you wish to raise a query or make a complaint about compliance with our personal data processing practices, please contact the Genuity Science Data Protection Officer (DPO) regarding any questions or concerns relating to Genuity Science’s approach to data protection.
Please write to the DPO using the email address: firstname.lastname@example.org or by post to:
The Data Protection Officer
Genuity Science (Ireland) Limited
Cherrywood Business Park, Building 4,
Dublin, D18 K7W4
Every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State (EU) of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes on Data Protection Laws. The supervisory authority of Genuity Science is the Data Protection Commission which can be contacted via its website: www.dataprotection.ie
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires certain health care entities to develop policies and procedures to ensure the privacy and security of, and safeguard access to and disclosure of, health information, also known as “protected health information” (PHI). The federal government has privacy rules which require GENUITY to provide you with information on how Genuity Science might use or disclose your PHI.
HIPAA requires Genuity Science to maintain the privacy of your PHI. This Notice is intended to inform you of Genuity Science’s legal obligations under HIPAA and related regulation to:
This Notice informs you about how Genuity Science uses and discloses any PHI it may hold and explains the rights that you have with regard to the PHI that Genuity Science maintains about you.
HOW GENUITY SCIENCE MAY USE OR DISCLOSE YOUR PHI WITHOUT AUTHORIZATION
Genuity Science is only permitted to use or disclose your PHI without your authorization if it falls within one of the categories below. If your PHI contains information regarding your mental health or certain diseases (including HIV/AIDS tests or results), we may be required by state and federal confidentiality laws to obtain your consent prior to certain disclosures.
The following categories describe different ways that we may use and disclose your PHI. For each category of uses or disclosures, we try to explain what we mean and provide some examples.
Categories for Uses and Disclosures
We will use your PHI for Treatment: your PHI may be used to assist with medical treatment or services and may be disclosed to authorized healthcare professionals involved in your care.
We will use your PHI for Payment: your PHI may be used or disclosed in order to obtain payment for the services provided. For example, your PHI may be disclosed to bill you or your health insurer for your tests.
We will use your PHI for Health Care Operations: your PHI may be used or disclosed for activities necessary to support our healthcare operations, for example, for quality verification or internal audits, and other activities that may improve the quality of care given to patients. Your PHI may be used and disclosed to other companies (“business associates”) to support administrative functions.
We are likely to use or disclose your PHI for the following purposes:
HIPAA authorizes Genuity Science, and its business associates, to use and/or disclose your PHI without your authorization in the following instances and for the following purposes.
When Required By Law. We may disclose your PHI when required to do so by federal, state or local law.
For Health and Safety Purposes. We may disclose your PHI where necessary to prevent a serious threat to your health and safety or that of another person.
Special Situations – We are permitted to use or disclose your PHI for the following purposes:
Your PHI may be used and disclosed without your authorization in the following special circumstances:
For Active Members of the Military and Veterans to comply with the laws and regulations governing military services and veterans’ affairs.
For Workers’ Compensation to comply with the laws which provide benefits for work-related illnesses or injuries.
In Emergency Situations to provide for a family member or close personal friend involved in your care in the event or an emergency or to a disaster relief entity in the event of a disaster. Your PHI may be disclosed to other persons involved in your care in more limited circumstances.
Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.
For Organ, Eye and Tissue Donation, if you are an organ donor, to an organ or procurement organization to facilitate an organ, eye, or tissue donation and transplantation.
Regarding Deceased Individuals to coroners, medical examiners, and funeral directors so those professionals may perform their duties.
To Correctional Facilities, if you are an inmate in a correctional facility, for certain purposes, such as providing health care to you or protecting your health and safety or that of others.
In other cases, such as marketing, the sale of PHI, the use or disclosure of psychotherapy notes or other uses or disclosures not set out in this notice, we may use or disclose your PHI with your written authorization. You may revoke your authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose PHI except as described above (or as permitted by any other authorizations that have not been revoked). However, please understand that we cannot retrieve any PHI disclosed to a third party in reliance on your prior authorization. Once your PHI has been disclosed pursuant to your authorization, the protections HIPAA provides may no longer apply to the disclosed PHI, and the information may be re-disclosed by the recipient without your knowledge or authorization.
YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
The procedures below explain how your rights are given effect, upon receipt by our Data Protection Officer of a written request
Right to Request Restrictions: You have the right to request that Genuity Science not make uses or disclosures of your PHI for the purposes of treatment, payment, or healthcare operations. You may also ask that we limit the information we give to someone who is involved in your care, such as a family or friend. Please note that we are not required to agree to your request unless, and except as otherwise required by law, the disclosure you want to restrict pertains solely to a healthcare item or service for which you have paid for out of pocket in full. If we do or must agree, we will honor your limits unless it is an emergency situation. To request a restriction of your PHI, please submit your request in writing.
Right to Receive Confidential Communications or Communications by Alternative Means or at an Alternative Location: You have the right to ask that we communicate with you by another means or at a different address, for example, at home rather than at work. To request communications by another means or at an alternative location, please submit your request in writing to the Genuity Science Privacy Officer (email@example.com) and you should state the alternative means by, or location at which you would like to receive, your PHI
Right to Inspect and Copy: You have the right to inspect and receive a copy of your PHI that Genuity Science or its business associates maintain in a designated record set with certain exceptions. We may ask you to make this request in writing to the Privacy Officer, and we may charge a reasonable fee for the cost of producing and mailing the copies. In certain situations, we may deny your request and will tell you why we are denying it. In some cases, you may have the right to ask for a review of our denial.
Right to Amend: if you believe that the PHI held by Genuity Science or its business associates in a designated record set is incomplete or incorrect, you have the right to request an amendment. Your request must be made in writing and submitted to the Genuity Science Privacy Officer identified below. You must provide a supporting reason for your request and include your contact information. Genuity Science may deny your request if it is not in writing or if it does not include a supporting reason. Genuity Science may also deny your request if you have asked to amend information that:
Right to Receive an Accounting of Disclosures: You have the right to request a list of certain disclosures of your PHI, known as an “accounting”. The accounting lists instances where Genuity Science or its business associates disclosed some portion of your PHI to others and to whom that disclosure was made. The accounting does not include disclosures for treatment, payment, and health care operations; disclosures made to or authorized by you; and certain other disclosures. You may request an accounting of the disclosures made up to six years before your request and you may request such a list by writing to the Genuity Science Privacy Officer. If you want an accounting that covers a time period of less than six years, please state that in your written request for the accounting.
Right to Request a Paper Copy of this Notice: You have a right to receive a copy of this Notice at any time. To obtain it, submit a written request to the Privacy Officer (firstname.lastname@example.org).
Right to Complain: You have the right to complain to Genuity Science and to the Department of Health and Human Services if you believe your privacy rights have been violated. To file a complaint with Genuity Science, submit a written complaint to the Privacy Officer. Genuity Science will not retaliate or discriminate against you or otherwise withhold services, payment, or privileges from you because you file a complaint with Genuity Science or with the Department of Health and Human Services.
Right to Receive A Notice of Certain Breaches: You have the right to receive notice in the event that we or one of our business associates create, receive, maintain or transmit your PHI in an unsecured manner (such as in paper form or if the PHI is in electronic form but is not secured) and a breach of our safeguards occurs.
Policy Changes: Genuity Science reserves the right to revise this notice and to make the new notice effective for all PHI that it maintains. We will post a revised copy of the notice on our website. .
Contact us. If you have any questions or concerns about this notice or Genuity Science’s privacy practices, please contact our privacy officer by email at email@example.com
|“Data Breach”||means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data transmitted, stored or otherwise Processed.
|“Data Controller”||means an entity that controls Personal Data by deciding why and how
the Personal Data is Processed.
|“Data Processor”||means an entity that processes Personal Data on behalf of the Controller. A Data Processor may include service providers (for example,
a payroll service provider).
|“Data Protection Officer”||means the individual(s) appointed pursuant to Articles 37-39 of the GDPR to ensure that Genuity Science processes Personal Data in compliance with applicable Data Protection Laws.|
|“Data Protection Laws”||means for the purposes of this Policy the General Data Protection Regulation (EU2016/679), the Irish Data Protection Act (2018) and all European Union (with direct effect) laws and regulations relating to processing of personal data and privacy, along with applicable HIPAA regulations.
|“Data Subject”||means the living individual to whom the Personal Data relates.|
|“European Economic Area”||or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Iceland, Liechtenstein, and Norway.
|“GDPR” or “General Data Protection Regulation”||means the General Data Protection Regulation (EU2016/679) having direct effect within the EEA as of 25 May 2018.|
|“HIPAA” or “Health Insurance Portability and Accountability Act of 1996”||means the legislation that contains data privacy and security provisions for safeguarding medical information in the United States.
|“Personal Data”||is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual which is capable of directly or
indirectly identifying that individual.
|“Processing”||includes collecting, using, recording, organizing, altering, disclosing, destroying or holding Personal Data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “Process” and “Processing” shall be
|“Profiling”||is the automated Processing of Personal Data for the purpose of assessing
certain aspects relating to an individual so as to analyze or predict the individual’s performance, decisions or behavior.
|“Special Categories of Personal Data”||are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic
data, biometric data (for example, fingerprints or facial images), health
data, data concerning sex life or sexual orientation and any Personal Data relating to a criminal offences or convictions.