Last Updated: 4/24/2017
At VIDA Diagnostics Inc. (together with any affiliates henceforth referred to as “VIDA,” “Us,” and “We”), we value and respect individual privacy and are strongly committed to safeguarding personal data, including health data. VIDA provides certain software and services that are routinely used by health care providers and others in clinical practice, along with academic, device, and pharmaceutical clinical trials. In conjunction with our software and services, we may receive, transmit, store and otherwise use personal data from our customers. VIDA may access this personal data to provide the software or services, to correct and address technical or service problems, to follow instructions of the customer who submitted the data, or in response to contractual requirements
In order to ensure compliance by us and our customers based in the European Union (EU) and European Economic Area (EEA) with the applicable privacy laws, VIDA offers its customers Standard Contractual Clauses (henceforth referred to as “The Model Clauses”) to incorporate in our written agreements. The Model Clauses make specific commitments about the ways in which VIDA will process personal data transferred to VIDA for in-scope VIDA services and cannot be modified. The Model Clauses were issued by the EU Commission to provide EU data Controllers a framework for ensuring adequate safeguards consistent with EU data protection laws are established for personal data transfers outside the EU, in compliance with the principles of Article 17 (4) of Directive 95/46/EC of the European Parliament (the “Directive”) or, as of its entry into force, Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament (the “Regulation”).
The Model Clauses are applicable only to Personal Data (defined below) made available to VIDA by customers in the EEA or Switzerland to VIDA for processing in conjunction with VIDA software and services.
VIDA has invested in the operational processes necessary to meet the requirements of The Model Clauses.
- ‘Controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data ; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
- ‘Data Exporter’ means the controller who transfers the personal data;
- ‘Data Importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘Data Subject’ shall have the meaning as defined in the Data Protection Directive, or, as of its entry into force, in the General Data Protection Regulation
- ‘subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract.
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
- ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
- ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
Source: EU Data Protection Directive (95/46/EC).
It is VIDA’s policy to:
- Data transfer. Safeguard transfers of personal data to VIDA as mutually agreed to by all relevant parties in The Model Clauses.
- Data processing. Process the personal data only on behalf of the customer and in compliance with its instructions and the Model Clauses.
- Notification. Promptly inform the customer of:
- Its inability to comply with its instructions or The Model Clauses and agree to suspend the data transfer activities and/or terminate the agreement at the customer’s request;
- Any legally binding request for disclosure of the personal data by a law enforcement authority unless the notification is lawfully prohibited;
- Any instances of accidental or unauthorized access to personal data covered by The Model Clauses;
- Any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so.
- Responsiveness and Cooperation With Authorities. Promptly address inquiries from the customer relating to its processing of transferred personal data and abide by the advice of relevant EU authorities with regard to the processing of the transferred data.
- Technical and Organizational Security Measures. Apply the technical and organizational security measures specific in the Model Clauses to the personal data before processing the personal data. The technical and organizational security measures that are agreed to will provide at least the same level of protection for the personal data and the rights of EU data subjects as the customer. Strong Encryption, integrity controls, and firewall technology are examples of data transfer safeguards that are typically agreed to in The Model Clauses.VIDA also encourages all customers who send patient studies or clinical data to VIDA for analysis to anonymize the patient information prior to transmission, whenever appropriate. If patient data arrives in identifiable form—and when the information is not expressly required to remain in identifiable form—we will destroy the data in-house per established processes.
- Audit Submit its processing activities (and those of its subprocessors) covered by the Model Clauses to audit by the customer, its agent, or an inspection body operating on behalf of a relevant EU authority.
- Data Subject Requests and Disputes. Make available to data subjects upon their request a copy of the Model Clauses, or any existing contract that governs subprocessing activities. With the exception of information about technical and organizationl security measures specified in The Model Clauses, elements of the Model Clauses that contain sensitive commercial information may be redacted.In the event of a dispute about, VIDA shall oblige and requests by the EU Data Subject to refer the dispute to mediation by an independent body or the Supervisory Authority or to the courts in the Member State in which the Data Exporter resides.
- Third Parties. Obtain written permission from or provide written notice to customers before engaging subcontractors to process personal data covered by the Model Clauses. VIDA enters into written agreements with its subcontractors and the agreements impose the same obligations under the Model Clauses that apply to VIDA. VIDA will provide a copy of third party agreements to the customer upon request.
- Termination of Services. Upon termination of services for a customer, return or destroy, as allowed by law and the other terms of the service agreement with the customer, all the transferred personal data and the copies thereof that had not been destroyed previously in the normal course of the service – and certify to the customer that it has done so. Patient data inappropriately transmitted to VIDA is destroyed upon receipt.
- Additional Obligations. Observe the requirements of any other Model Clauses entered into with customers not explicitly mentioned in this statement
- Compelled disclosure: VIDA may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
If you have questions about our privacy practices or our treatment of the personal information you provide us, contact us at:
VIDA Diagnostics Inc.
2500 Crosspark Road
W250 BioVentures Center
Coralville, IA 52241
Toll free: 1.855.900.VIDA (8432)