Terms of Service
1. INFORMATION COLLECTION AND USE
We collect two types of information: personally identifiable information and non-personally identifiable information.
1.1 Personally Identifiable Information
1.2 Non-Personally Identifiable Information
We also may collect information that by itself cannot be used to identify or contact you, such as demographic information (like age, profession or gender) and health information (like current body mass index) ("Non-Personally Identifiable Information"). Non-Personally Identifiable Information may also include user IP addresses (to the extent that it is not deemed to be Personally Identifiable Information [NOTE - STATIC IP ADDRESSES ARE GENERALLY CONSIDERED IDENTIFIABLE], browser types, domain names, and other anonymous statistical data. Non-Personally Identifiable Information is used to help us understand who uses the product and to improve our conclusion engine and to assist us in isolating patterns in populations and demographics.
1.3 Information from Other Sources
We may also supplement the information we collect with information from other sources to assist us in evaluating and improving the product and its successors and/or to study stress and health in general.
2. TRANSFER OF YOUR PERSONAL INFORMATION
When you provide us with your Personally Identifiable Information, you acknowledge that this information may be stored and processed on internationally located servers and you consent to your Personally Identifiable Information being exported and shared in this way. The USA does not have data protection legislation, however, we will, of course, keep your information secure.
3. WHERE AND WHEN IS INFORMATION COLLECTED
We may collect information (including information that is Personally Identifiable Information) from you in different manners (including touch-screen responses and in writing) and at different points during your use of the product. The following is a description of the manners in which we primarily collect information about you.
Before any tests are performed or readings obtained, you will be required to submit certain personal details including your name, contact details, date of birth, occupation and nationality. In addition, you will also be required to complete the following on-screen questionnaires:
"Life Style questionnaire" including information such as your smoking habits, alcohol consumption, and dietary and exercise habits. Other relevant questionnaires may be introduced including a "Stress questionnaire" which requires you to indicate how you have been feeling in the past week about a number of matters.
4. COLLECTION OF INFORMATION FROM MINORS
We are committed to protecting the privacy of minors. The products is not designed for use by children and is for use by individuals who are between 18 and 65 years only. We do not collect Personally Identifiable Information from any person we actually know is under the age of 18.
5. WHAT WE DO WITH THE INFORMATION WE COLLECT
We use the information you provide and our sophisticated computerised system that gives detailed information on ECG, EEG, PPG, GSR, and Heart Rate Variability ("HRV") (which monitors the balance or imbalance of the automatic nervous system) to generate a full HRV analysis and lifestyle report.
Your individual reports will also be available on-line.
We may use the information gathered by the product to perform statistical analysis of user behavior, to analyse and evaluate issues relating to stress and health or to evaluate and improve our products and systems. We may link some of this information to Personally Identifiable Information for internal purposes only or to provide analysis to you. From time to time, we would like to send you information about other products or services which we think may be of interest to you. If you do not wish to receive this information any longer please email us at email@example.com.
You give explicit consent to our use of your Personally Identifiable Information for the purposes listed above.
6. DISCLOSURE OF INFORMATION TO THIRD PARTIES
6.1 Affiliates, Agents and/or Commercial Partners
6.2 Laws and Legal Rights
We may also disclose your information (including Personally Identifiable Information) if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, or other valid legal process. We may disclose Personally Identifiable Information in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating our Terms & Conditions, or to protect the safety and/or security of our users, the product or the general public.
6.3 Third Parties Generally
We may provide to third parties Non-Personally Identifiable Information, including where such information is combined with similar information of other users of the product. For example, we might inform third parties of the number of individuals who have used the product, the demographic breakdown of our users or information regarding the general health, stress, stress related illnesses or health risks of our users which is Non-Personally Identifiable Information. The third parties to whom we may provide this information may include potential or actual advertisers, providers of advertising services, commercial partners, sponsors, licensees, researchers and other similar parties.
6.4 Outside Contractors
We may employ independent contractors ("Outside Contractors") to provide specific services related to our Website, such as mathematical and statistical analysis and reporting services. These Outside Contractors may sometimes have limited access to information collected by the product, including your Personally Identifiable Information, in the course of providing services to us. Access to your Personally Identifiable Information by these Outside Contractors is limited to the information reasonably necessary in order for the Outside Contractors to perform their limited function for us. We also require that these Outside Contractors
2. Undertake not to use or disclose your Personally Identifiable Information for any purpose other than providing us with services for which we contracted.
6.5 Sale of Business
In the event that the business is sold or integrated with another business, information will be disclosed to our advisers and any prospective purchasers advisers and will be passed to the new owners of the business.
We take reasonable and appropriate steps to protect your information. If you would like information on our security procedures please contact us at firstname.lastname@example.org.
We take reasonable and appropriate measures including encryption to ensure that your personal information is protected from unauthorised access or modification, unlawful destruction and improper use. However, the internet is an open system and we cannot and do not guarantee that the personal information you have submitted will not be intercepted by others and decrypted.
You will be given a personal identification number (PIN) which you will need to enter to access information relating to you via our website. You must keep your PIN confidential and must not disclose it or share it with anyone. You should inform us immediately if your PIN is lost or stolen. We can give no guarantee that Personally Identifiable Information relating to you will be kept confidential if your PIN is lost or stolen.
Notwithstanding the above commitments to protect your information (including Personally Identifiable Information) from loss, misuse or alteration by third parties, you should be aware that there is always some risk involved when information is transmitted over the internet. There is also some risk that others could find a way to thwart our security systems. As a result, while we strive to protect your information, we cannot ensure or warrant the security and privacy of any information you give to us and you do so at your own risk.
8. COLLECTION, DISCLOSURE AND DISTRIBUTION OF PERSONALLY IDENTIFIABLE INFORMATION
You may change the preference you have previously submitted and "opt-out" at any time by withdrawing your permission by contacting email@example.com.
9. UPDATING AND CORRECTING YOUR PERSONALLY IDENTIFIABLE INFORMATION
If your name, address, email address telephone number, job description or place of employment ("Personal Details") that you have provided to us changes, please let us know the correct details by emailing firstname.lastname@example.org.
You can always contact us in order to
1. Update or correct your Personal Details
2. verify what Personal Details we maintain about you
3. delete the Personal Details maintained about you on our systems, by contacting email@example.com
Please note that any information and analysis which has been generated by us following your use of the product and which is based on information provided by you and results obtained through your use of the product is fixed at that point in time and cannot subsequently be amended or updated. If any Personally Identifiable Information other than your Personal Details changes and you wish to update or correct such information, you will need to carry out a further test using the product including completing the relevant questionnaires and a further charge will be payable for the amended report.
You should be aware that it is not technologically possible to remove or verify each and every record of the information you have provided to us from our system. The need to back-up our systems to protect information from inadvertent loss means that a copy of your Personally Identifiable Information may exist in a non-erasable form that will be difficult or impossible for us to locate. We promise that promptly after receiving your request, all Personally Identifiable Information stored in databases we actively use and other readily searchable media will be updated, corrected, changed, deleted or confirmed to you, as appropriate, as soon as reasonably practicable.
11. WHO DO I CONTACT IF I HAVE ANY PRIVACY QUESTIONS?
Email our Privacy Coordinator at: firstname.lastname@example.org
Collection and Use of Personal Information
Personal information is data that can be used to uniquely identify or contact a single person.
Here are some examples of the types of personal information BioScan® may collect and how we may use it.
What personal information we collect
When you create an BioScan® ID, register your products, apply for commercial credit, purchase a product, download a SOFTWARE update, register for a class at an BioScan® Affiliate Universities, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.
When you share your content with colleagues using BioScan® products, send gift certificates and products, or invite others to join you on BioScan® forums, BioScan® may collect the information you provide about those people such as name, mailing address, email address, and phone number.
In the U.S., we may ask for your Social Security number (SSN) but only in limited circumstances such as when determining whether to extend commercial credit.
How we use your personal information
The personal information we collect allows us to keep you posted on BioScan®’s latest product announcements, SOFTWARE updates, and upcoming events. It also helps us to improve our SOFTWARE, content, and advertising. If you don’t want to be on our mailing list, you can opt out anytime by updating your preferences.
We also use personal information to help us develop, deliver, and improve our products, SOFTWARE, content, and advertising.
From time to time, we may use your personal information to send important notices, such as communications about purchases and changes to our terms, conditions, and policies. Because this information is important to your interaction with BioScan® , you may not opt out of receiving these communications.
We may also use personal information for internal purposes such as auditing, data analysis, and research to improve BioScan® ’s products, SOFTWARE, and customer communications.
If you enter into a sweepstake, contest, or similar promotion we may use the information you provide to administer those programs.
Collection and Use of Non-Personal Information
We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an BioScan® product is used so that we can better understand customer behavior and improve our products, SOFTWARE, and advertising.
If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.
Cookies and Other Technologies
BioScan® ’s website, online SOFTWARE, interactive applications, email messages, and advertisements may use “cookies” and other technologies such as pixel tags and web beacons. These technologies help us better understand user behavior, tell us which parts of our website people have visited, and facilitate and measure the effectiveness of advertisements and web searches. We treat information collected by cookies
If you want to disable cookies and you’re using your web browser, check with your provider to find out how to disable cookies. Please note that certain features of the BioScan® website will not be available once cookies are disabled.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet SOFTWARE provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, and to gather demographic information about our user base as a whole. BioScan® may use this information in our marketing and advertising SOFTWARE.
In some of our email messages, we use a “click-through URL” linked to content on the BioScan® website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.
Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.
Disclosure to Third Parties
At times BioScan® may make certain personal information available to strategic partners that work with BioScan® to provide products and SOFTWARE, or that help BioScan® market to customers. For example, when you purchase and activate your SOFTWARE you authorize BioScan® to exchange the information you provide during the activation process to carry out SOFTWARE REGISTRATION PROCESS. If you are approved for SOFTWARE, your USER PROFILE will be governed by BioScan® and its respective privacy policies. Personal information will only be shared by BioScan® to provide or improve our products, SOFTWARE and advertising; it will not be shared with third parties for their marketing purposes.
BioScan® shares personal information with companies who provide SOFTWARE such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer SOFTWARE, assessing your interest in our products and SOFTWARE, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information and may be located wherever BioScan® operates.
It may be necessary - by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence - for BioScan® to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
Protection of Personal Information
BioScan® takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.
BioScan® SOFTWARE uses Secure Sockets Layer (SSL) encryption on all web pages where personal information is collected.
When you use some BioScan® products, SOFTWARE, or applications or post on an BioScan® forum, chat room, or social networking site, the personal information you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.
Integrity and Retention of Personal Information
Access to Personal Information
We make good faith efforts to provide you with access to your data so you can request that we correct the data if it is inaccurate or delete the data if BioScan® is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.
To provide location-based SOFTWARE on BioScan® products, BioScan® and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your BioScan® computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by BioScan® and our partners and licensees to provide and improve location-based products and SOFTWARE.
Third-Party Sites and SOFTWARE
BioScan® websites, products, applications, and SOFTWARE may contain links to third-party websites, products, and SOFTWARE. Our products and SOFTWARE may also use or offer products or SOFTWARE from third parties. Information collected by third parties, which may include such things as location data or contact details, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
Our Companywide Commitment to Your Privacy
To make sure your personal information is secure, we communicate our privacy and security guidelines to
BioScan® employees and strictly enforce privacy safeguards within the company.
EU Processor Privacy Rules GDPR Compliant
Article 1 – Scope, Applicability and Implementation
1.1 Scope Medeia Inc as Data Processor
These Rules address the worldwide Processing of Personal Data of individual customers or employees of Business Customers (Business Customer's Individuals Personal Data or BCI Data) by Medeia Inc in its role as a Data Processor in the course of delivering Customer Services.
1.2 Processing in non- Adequate Country
These Rules apply to BCI Data that are:
(i) subject to Data Transfer Restrictions; and
(ii) Processed by Medeia Inc in a non-Adequate Country.
1.2 Electronic and paper-based Processing
These Rules apply to the Processing of BCI Data by electronic means and in systematically accessible paper-based filing systems.
1.4 Applicability of local law and these Rules
Business Customer's Individuals keep any rights and remedies they may have under applicable local law. Where these Rules provide more protection than applicable local law or provide additional safeguards, rights or remedies for Business Customer's Individuals, these Rules shall apply.
1.5 Sub-policies and notices
Medeia Inc may supplement these Rules through sub-policies and notices that are consistent with these Rules.
1.6 Compliance Responsibility
These Rules are binding on Medeia Inc. The Responsible Executive shall be accountable for her business organization’s compliance with these Rules. Medeia Inc Staff must comply with these Rules.
1.7 Effective date
These Rules enter into force as of 16 July 2015 (Effective Date).
1.8 Rules supersede prior policies
These Rules supersede all Medeia Inc privacy policies that exist on the Effective Date to the extent they address the same issues or conflict with the provisions of these Rules.
These Rules shall be implemented within Medeia Inc based on the timeframes specified in Article 15.
1.10 Role of Medeia Inc
Medeia Inc is tasked with the coordination and implementation of these Rules.
1.11 Privacy Officer Advice
Where there is a question as to the applicability of these Rules, Staff shall seek the advice of the appropriate Privacy Officer prior to the relevant Processing.
Article 2 – Business Customer Service Contract
2.1 Business Customer Service Contract
Medeia Inc shall Process BCI Data only on the basis of a written contract with a Business Customer (Business Customer Service Contract). The Medeia Inc Contracting Entity uses Sub-Processors, both Medeia Inc Sub-Processors and Third Party Sub-Processors, in the regular performance of Business Customer Service Contracts. The standard Business Customer Service Contract shall authorize the use of such Sub-Processors, provided that the Medeia Inc Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors. If the Business Customer Service Contract explicitly does not authorize the use of Sub-Processors, Article 7 shall not apply.
2.2 Termination Business Customer Service Contract
Upon termination of the Business Customer Service Contract, Medeia Inc shall, at the option of the Business Customer, return the BCI Data and copies thereof to the Business Customer or shall securely destroy such BCI Data and certify to the Business Customer that Medeia Inc has done so, except to the extent the Business Customer Service Contract or applicable law provides otherwise. In that case, Medeia Inc shall no longer Process the BCI Data, except to the extent required by the Business Customer Service Contract or applicable law.
2.3 Audit of termination measures
Medeia Inc shall, at the request of the Business Customer or Relevant Data Protection Authority, allow its Processing facilities to be audited in accordance with Article 10.2 or 10.3 (as applicable) to verify that Medeia Inc has complied with its obligations under Article 2.2.
Article 3 – Compliance Obligations Philips
3.1 Instructions of the Data Con-troller
Medeia Inc shall Process BCI Data only on behalf of the Business Customer and in accordance with any instructions received from the Business Customer.
3.2 Compliance with Applicable Adequate Data Protection Law
Medeia Inc shall Process BCI Data only in accordance with the Applicable Adequate Data Protection Law and shall deal promptly and appropriately with requests for assistance of the Business Customer to ensure compliance of the Processing of the BCI Data with the applicable Adequate Data Protection Law.
3.3 Notification of non-compliance, substantial ad- verse effect
If Medeia Inc:
(i) determines that it is unable for any reason to comply with its obligations under Article 3.1 and 3.2 and Medeia Inc cannot cure this inability to comply; or
(ii) becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on Medeia Inc ability to meet its obligations under Article 3.1, 3.2 or 10.3;
Medeia Inc shall promptly notify the Business Customer thereof,in which case the Business Customer will have the right to temporarily suspend the Processing until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by Medeia Inc.
3.4 Request for disclosure of BCI Data
Medeia Inc shall promptly notify the Business Customer of any legally binding request Medeia Inc receives for disclosure of BCI Data by a law enforcement authority unless otherwise prohibited by law from making such disclosure.
3.5 Inquiries of the Business Customer
Medeia Inc shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Data pursuant to the terms of the Business Customer Service Contract.
Article 4 – Processor Purposes
4.1 Legitimate Business Purposes
Where Medeia Inc serves as a Data Processor, Personal Data and Sensitive Data may be Processed by Medeia Inc for one or more of the following purposes:
(i) Customer data management information technology services including:
(a) hosting, storage, backup, or archiving;
(b) reporting on the use of data services by a Customer;
(c) security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); or
(d) account management of third-party use of Customer-specific Medeia Inc products or services (e.g., use reporting and billing of a Customer's customer on behalf of the Customer).
(ii) Customer support services including:
(a) providing (local and remote) assistance to Customer in the use or repair of Medeia Inc products or services;
(b) Medeia Inc generation of service level reports or other reports on a Customer's use of Medeia Inc products or services for Customer management information purposes; or
(c) life-cycle management of Medeia Inc products and services (e.g., planning, evaluation, demonstration, installation, calibration, training, maintenance, decommissioning) to facilitate continued and sustained use by a Customer of Medeia Inc products and services.
(iii) Customer-specific custom services including:
(a) device or system tuning for the purpose of adjusting the service or product to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
(b) the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations);
(c) the purchase of goods and services on behalf of a Customer (e.g., contract broadband network service for device placement and data acquisition, third- party hardware integration); or
(d) the provision of training for Customer's staff or third parties (e.g., equipment training, HIPAA training, infection control training, radiation training).
(iv) Medeia Inc internal business process execution and management leading to incidental Processing of Personal Data or Sensitive Data for:
(a) internal auditing of Medeia Inc Processor-related activities;
(b) activities related to compliance with applicable law or regulation (e.g., data processing law, medical device regulation);
(c) data deidentification and aggregation of deidentified data for data minimization; and
(d) use of deidentified, aggregate data to facilitate continuity, sustainability, and improvement of Medeia Inc products and services.
Article 5 – Security Requirements
5.1 Data security
Medeia Inc shall take appropriate, commercially reasonable, technical, physical and organizational measures to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. Medeia Inc shall in any event take the measures specified in Annex 2 of these Rules, which Annex shall be revised by Medeia Inc if so required to reflect industry standards, or such stricter measures as instructed by the Business Customer in the Business Customer Service Contract.
5.2 Data access and confidentiality
Medeia Inc shall provide Medeia Inc Staff access to BCI Data only to the extent necessary to perform the Processing. Medeia Inc shall impose confidentiality obligations on Staff that has access to BCI Data.
5.3 Data Security Breach notification requirement
Medeia Inc shall notify the Business Customer of a Data Security Breach as soon as reasonably possible following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. Medeia Inc shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.
Article 6 – Transparency to Business Customer's Individuals
6.1 Copy of Data Protection Provisions of Business Customer Service Contract
Medeia Inc shall provide the Business Customer's Individual, at its request, the contact details of the relevant Business Customer. If the Business Customer's Individual is unable to obtain from the Business Customer a copy of the data protection provisions of the relevant Business Customer Service Contract, Medeia Inc shall provide the Business Customer's Individual with a copy of these provisions. Where the disclosure sets forth a description of detailed security measures, Medeia Inc may replace the details with a summary description.
6.2 Other Requests of Business Customer's Individuals
Medeia Inc shall promptly notify the Business Customer of requests (other than requests under Article 6.1) or complaints that are received directly from a Business Customer's Individual without responding to such requests or complaints, unless otherwise instructed by the Business Customer in the Business Customer Service Contract.
If instructed by the Business Customer to respond to requests and complaints of Business Customer's Individuals, Medeia Inc shall ensure that the Business Customer's Individual is provided with all required information (including the point of contact and the procedure) in order for the Business Customer's Individual to be able to effectively make the request or lodge the complaint.
Article 7 – Sub-Processors
7.1 Third Party Sub-Processing Contracts
Third Party Sub-Processors may Process Business Customer Data only if the Third Party Sub- Processor has a written contract with Medeia Inc. The contract shall impose similar data protection-related Processing terms on the Third Party Sub- Processor as those imposed on the Medeia Inc Contracting Entity by the Business Customer Service Contract and these Rules.
7.2 Publication of Overview of Sub-Processors
Medeia Inc shall publish on the appropriate Medeia Inc website an overview of the categories of Sub-Processors (both Third Parties and Medeia Inc) Medeia Inc involves in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes.
Article 8 – Supervision and compliance
8.1 Chief Privacy Officer
Medeia Inc shall appoint a Chief Privacy Officer who is responsible for:
(i) supervising compliance with these Rules;
(ii) providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues; and
(iii) coordinating, in conjunction with the appropriate staff, official investigations or inquiries into the Processing of BCI Data by a public authority.
8.2 Privacy Council
The Privacy Council, or substituted by board of directors, shall create and maintain a Medeia Inc framework for:
(i) the development of the policies, procedures and system information (as required by Article 9);
(ii) planning training and awareness programs;
(iii) monitoring and reporting on compliance with these Rules;
(iv) collecting, investigating and resolving privacy inquiries, concerns and complaints;
(v) determining and updating appropriate sanctions for violations of these Rules (e.g., disciplinary standards).
8.3 Senior Privacy Officers
Medeia Inc does not have Senior Privacy Officers due to the size of the company.
8.4 Responsible Executive
The Board of Directors is the responsible executive and shall perform at least the following tasks:
(i) ensure that the policies and procedures are implemented and the system information is maintained (as required by Article 9);
(ii) provide such system information to the Senior Privacy Officers necessary as required for her to comply with the task listed in Article 8.3 sub (ii);
(iii) ensure that Personal Data are returned or securely deleted
or destroyed after termination of the Business Customer Service Contract (as required by Article 2.2);
(iv) determine how to comply with the Rules when there is a conflict with applicable law (as required by Article 13.1); and
(v) inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc’s ability to comply with these Rules (as required by Article 13.2).
8.5 Default Privacy Officer
If no Senior Privacy Officer has been designated in a Sector, Country or Region, the Board of Directors is responsible for supervising compliance with these Rules.
8.6 Privacy Officers
Where a Privacy Officer holds her position pursuant to law, she with statutory shall carry out her job responsibilities to the extent they do not position conflict with her statutory position.
Article 9 – Policies, procedures and training
9.1 Policies and procedures
Medeia Inc shall develop and implement policies and procedures to comply with these Rules.
9.2 System information
Medeia Inc shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Data (e.g., inventory of systems and processes, privacy impact assessments).
9.3 Staff training
Medeia Inc shall provide training on these Rules and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Data.
Article 10 – Monitoring compliance
10.1 Internal audits
Medeia Inc Internal Audit shall audit business processes and procedures that involve the Processing of BCI Data for compliance with these Rules. The audits shall be carried out in the course of the regular activities of Medeia Inc Internal Audit. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Board of Directors shall be informed of the results of the audits. In case the audit identifies violations of the Rules, these will be reported to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.
10.2 Business Customer audit
Medeia Inc shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the Medeia Inc business processes and procedures that involve the Processing of BCI Data comply with these Rules when requested by Business Customer.
10.3 Audit by Relevant Data Protection Authority
A Relevant Data Protection Authority may request an audit of the facilities used by Medeia Inc for the Processing subject to the same conditions (regarding the existence of the right to audit, scope, subject and other requirements) as would apply to an audit by that Data Protection Authority of the Business Customer itself under the Applicable Data Controller Law.
10.4 Annual Report
The Chief Privacy Officer shall produce an annual BCI Data protection report for Medeia Inc’ Board of Directors on Medeia Inc’ compliance with these Rules and other relevant issues.
Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address breaches of these Rules identified during the monitoring or auditing of compliance pursuant to this Article 10.
Article 11 – Legal issues
11.1 Specific provision when Data Protection Authorities in EEA have jurisdiction under national law.
If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by a Group Company established in its country, such Data Protection Authority may evaluate these data transfers also against these Rules. The Dutch Data Protection Authority will provide cooperation and assistance where required, including providing audit reports available at the Dutch Data Protection Authority insofar as relevant to evaluate the aforementioned data transfers against these Rules.
11.2 Rights of Business Customer's Individuals
When the Business Customer has factually disappeared or ceased to exist in law or has become insolvent, unless a successor entity has assumed the legal obligations of the Business Customer by contract or by operation of law (in which Jurisdiction for Claims of Business Customer's Individuals case the Business Customer's Individual should enforce its rights against such successor entity), the Business Customer's Individual can enforce against the Medeia Inc Contracting Entity Article 3, 5.1, 5.3, 6, 7.1, 7.2, 10.3, 11.1, 11.2, 11.4, and any claim for direct damages as a result of a breach of these enumerated provisions.
To the extent the Business Customer's Individual may enforce any rights against the Medeia Inc Contracting Entity, the Medeia Inc Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability. Medeia Inc may, however, assert any defenses that would have been available to the Business Customer.
11.3 The Business Customer's Individual
The Business Customer's Individual may, at her choice, submit any claim she has under Article 11.2 against the Medeia Inc Contracting Entity:
(i) to mediation by;
a. an independent person located in the country in which the Business Customer's Individual resides or, if the Business Customer's Individual does not reside in an EEA Country, an independent person located in the Netherlands; or
b. a Relevant Data Protection Authority;
(ii) to the courts in the country of establishment of the Business Customer or, if the Business Customer is not established in an EEA Country, to a court in the Netherlands but in that case only against Medeia Inc; or
(iii) to a Relevant Data Protection Authority or, if the Business Customer is not established in an EEA Country, to the Dutch Data Protection Authority, but in that case only against Medeia Inc.
The courts, the Relevant Data Protection Authority and the Dutch Data Protection Authority shall apply their own substantive and procedural laws to the dispute. Any choice made by the Business Customer's Individual will not prejudice the substantive or procedural rights he may have under applicable law.
11.4 Rights of Business Customers
The Business Customer may enforce these Rules against the Medeia Inc Contracting Entity or, if the Medeia Inc Contracting Entity is not established in an EEA Country, against Medeia Inc. Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address violations of these Rules by the Medeia Inc Contracting Entity or any other Group Company. The Medeia Inc Contracting Entity or Medeia Inc may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.
11.5 Available remedies, limitation of damages, burden of proof re. damages for Business Customer's Individuals
In case of a violation of these Rules, Business Customer's Individuals shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer's Individual resulting from a violation of these Rules.
Regarding the burden of proof in respect of damages, it will be for the Business Customer's Individual to demonstrate that she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of these Rules. It will subsequently be for the Medeia Inc Contracting Entity or Medeia Inc to prove that the damages suffered by the Business Customer's Individual due to a violation of these Rules are not attributable to a Group Company or a Sub-processor.
11.6 Available remedies, limitation of damages, burden of proof re. damages for Business Customers
In case of a violation of these Rules, Business Customers shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer resulting from a violation of these Rules.
11.7 Mutual assistance Group Companies and redress
All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with these Rules, including an audit or inquiry by the Business Customer or a Relevant Data Protection Authority.
The Medeia Inc Group Company upon receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for handling any communication with the Business Customer's Individual regarding her request or claim except where circumstances dictate otherwise and as mutually agreed among Senior Privacy Officers relevant to the specific issue.
The Medeia Inc Group Company that is responsible for the Processing to which the request or claim relates, shall bear all costs involved and reimburse any costs made by other Medeia Inc Group Companies in respect thereof.
11.8 Advice by Relevant Data Authority
Medeia Inc shall abide by the advice of a Relevant Data Protection Authority with regard to the Processing of BCI Data.
Article 12 – Sanctions for non-compliance
Non-compliance of Medeia Inc employees with these Rules may result in disciplinary action up to and including termination of employment.
Article 13 – Conflicts between the Rules and Applicable Data Processor Law
13.1 Conflict between Rules and law
Where there is a conflict between Applicable Data Processor Law and the Rules, the relevant Responsible Executive shall consult with the appropriate Senior Privacy Officers and their legal departments to determine how to comply with these Rules and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.
13.2 New conflicting legal requirements
The relevant Responsible Executive, in consultation with her legal department, shall promptly inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc ability to comply with these Rules.
Article 14 – Changes to the Rules
Any changes to these Rules require the prior approval of the Chief Legal Officer.
Any amendment shall enter into force after it has been approved and published on the Medeia Inc General Business Principles Internet site and communicated to the Business Customers.
Any request or claim of a Business Customer's Individual involving these Rules shall be judged against the version of these Rules that is in force at the time the request, complaint or claim is made.
The Chief Privacy Officer shall be responsible for informing the relevant government authorities of material changes to these Rules on a yearly basis and coordinating their responses. The Chief Privacy Officer shall inform the Board of Directors of the effect of these responses.
Article 15 – Transition Periods
15.1 General Transition Period
Except as otherwise indicated, Medeia Inc shall strive to comply with these Rules as soon as possible after the Effective Date. In any event all Processing of Personal Data that is subject to these Rules shall be conducted in compliance with the Rules within one year of the Effective Date.
15.2 Transition Period for New Group Companies
Any entity that becomes a Group Company after the Effective Date shall comply with the Rules within one year of becoming a Group Company.
15.3 Transition Period for Divested Entities
A Divested Entity will remain covered by these Rules after its divestment for such period as is required by Medeia Inc to disentangle the Processing of BCI Data relating to such Divested Entity.
15.4 Transition Period for Systems
Where implementation of these Rules requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.
15.5 Transition Period for Existing Agreements
Where there are existing agreements with Third Parties that are affected by these Rules, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.
ANNEX 1 - Definitions
ADEQUATE COUNTRY shall mean the EEA and those countries that the European Commission considers to provide an “adequate” level of data protection pursuant to Articles 25(6) and 31(2) EU Data Protection Directive.
Applicable Adequate Data Protection Law
APPLICABLE ADEQUATE DATA PROTECTION LAW shall mean the Data Protection Laws of an Adequate Country that are applicable to the Business Customer as the Data Controller of the BCI Data.
Applicable Data Processor Law
APPLICABLE DATA PROCESSOR LAW shall mean the Data Protection Laws that are applicable to Medeia Inc as the Data Processor of the BCI Data.
BUSINESS CUSTOMER shall mean the customer who has entered into a contract with Medeia Inc for the delivery of Medeia Inc Customer Services.
Business Customer's Individual
BUSINESS CUSTOMER'S INDIVIDUAL shall mean any individual whose Personal Data are Processed by Medeia Inc in its role as a Data Processor in the course of delivering Medeia Inc Customer Services to a Business Customer.
BCI DATA shall mean Personal Data of a Business Customer's Individual.
Business Customer Service Contract
BUSINESS CUSTOMER SERVICE CONTRACT shall mean the contract for delivery of Medeia Inc Customer Services entered into between a Medeia Inc Group Company and the Business Customer pursuant to Article 2.1.
Chief Legal Officer
CHIEF LEGAL OFFICER shall mean the chief legal officer of Medeia Inc.
Chief Privacy Officer
CHIEF PRIVACY OFFICER shall mean the officer referred to in Article 8.1.
COUNTRY shall mean each country in which a Group Company is established.
Country Privacy Officer
COUNTRY PRIVACY OFFICER shall mean the Senior Privacy Officer designated for a certain Country, in accordance with Article 8.3.
CUSTOMER SERVICES shall mean the services provided by Medeia Inc to Business Customers to support products and services of Medeia Inc or a Third Party. Such services may include the (remote) monitoring of patient or customer data or repair, maintenance, upgrade, replacement, inspection and calibration activities, the collection or provision of diagnostic or operational information, and related support activities aimed at facilitating continued and sustained use of products and services of Medeia Inc or a Third Party.
DATA CONTROLLER shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
DATA PROCESSOR shall mean the entity or natural person which Processes Personal Data on behalf of a Third Party Data Controller.
Data Protection Law
DATA PROTECTION LAW shall mean the laws of a country containing rules for the protection of individuals with regard to the Processing of Personal Data including security requirements for and the free movement of such Personal Data.
Data Security Breach
DATA SECURITY BREACH shall mean the unauthorized acquisition, access, use or disclosure of unencrypted BCI Data that compromises the security or privacy of such data to the extent the compromise poses a significant risk of financial, reputational, or other harm to the Business Customer's Individual. A Data Security Breach is deemed not to have occurred where there has been an unintentional acquisition, access or use of unencrypted BCI Data by an employee of Medeia Inc or the Business Customer or an individual acting under their respective authority, if
(i) the acquisition, access, or use of BCI Data was made in good faith and within the course and scope of the employment or professional relationship of such employee or other individual; and
(ii) (ii) the BCI Data are not further acquired, accessed, used or disclosed by any person.
Data Transfer Restriction
DATA TRANSFER RESTRICTION shall mean any restriction under the data protection laws of an Adequate Country regarding outbound transfers of Personal Data.
DIVESTED ENTITY shall mean the divestment by Medeia Inc of a Group Company or business by means of:
a) a sale of shares as a result whereof the Group Company so divested no longer qualifies as a Group Company; and/or
b) a demerger, sale of assets, or any other manner or form.
EEA COUNTRIES (European Economic Area Countries) shall mean all Member States of the European Union, Norway, Iceland, Liechtenstein and, for purposes of these Rules, Switzerland.
EFFECTIVE DATE shall mean the date on which these Rules become effective as set forth in Article 1.7.
EMPLOYEE shall mean an employee, job applicant or former employee of Medeia Inc.
EU Data Protection Directive
EU DATA PROTECTION DIRECTIVE shall mean the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
FUNCTION shall mean a corporate department organized within Medeia Inc (e.g. Corporate HRM, Corporate IT, Corporate Finance, Corporate Legal).
Function Privacy Officer
FUNCTION PRIVACY OFFICER shall mean the Senior Privacy Officer designated for a certain Function, in accordance with Article 8.3.
GROUP COMPANY shall mean Medeia Inc and any company or legal entity of which Medeia Inc, directly or indirectly owns more than 50% of the issued share capital, has 50% or more of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity; however, any such company or legal entity shall be deemed a Group Company only (i) as long as a liaison and/or relationship exists, and (ii) as long as it is covered by the Medeia Inc General Business Principles.
Medeia Inc shall mean Medeia Inc, having its registered seat in Heerhugowaard, The Netherlands.
MANDATORY REQUIREMENTS shall mean mandatory requirements of Applicable Data Processor Law which do not go beyond what is necessary in a democratic society i.e. which constitute a necessary measure to safeguard national security defense, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the state or the protection of a Business Customer's Individual or the rights and freedoms of others.
PERSONAL DATA shall mean any information relating to an identified or identifiable individual.
Medeia Inc shall mean Medeia Inc and its Group Companies.
Medeia Inc Contracting Entity
Medeia Inc CONTRACTING ENTITY shall mean the Medeia Inc Group Company that has entered into the Business Customer Service Contract.
Medeia Inc shall mean Medeia Inc, having its registered seat in Heerhugowaard, The Netherlands.
Medeia Inc Privacy Council
Medeia Inc PRIVACY COUNCIL shall mean the council referred to in Article 8.2.
Medeia Inc Sub- Processor
Medeia Inc SUB-PROCESSOR shall mean any Group Company engaged by Medeia Inc as a Sub- Processor.
PRIVACY OFFICER shall mean the privacy officers appointed by the Senior Privacy Officers pursuant to Article 8.3.
PROCESSING shall mean any operation that is performed on BCI Data, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of BCI Data.
REGION shall mean a particular geographic area in which certain Countries are grouped.
Region Privacy Officer
REGION PRIVACY OFFICER shall mean the Senior Privacy Officer designated for a certain Region, in accordance with Article 8.3.
Relevant Data Protection Authority
RELEVANT DATA PROTECTION AUTHORITY shall mean any data protection authority that is competent to supervise the Business Customer as the Data Controller of the BCI Data.
RESPONSIBLE EXECUTIVE shall mean the lowest-level Medeia Inc business executive or the non-executive general manager of a Medeia Inc ORU (Organizational Reporting Unit) who has primary budgetary ownership of the relevant Processing.
RULES shall mean the Processor Privacy Rules for BCI Data.
SECTOR shall mean a top-level product division that is globally served by a specific Group Company, (e.g., Medeia Inc).
Sector Privacy Officer
SECTOR PRIVACY OFFICER shall mean the Senior Privacy Officer designated for a certain Sector, in accordance with Article 8.3.
Senior Privacy Officers
SENIOR PRIVACY OFFICERS shall mean the appropriate Sector Privacy Officers, Function Privacy Officers, Country Privacy Officers and/or Region Privacy Officers.
SENSITIVE DATA shall mean Personal Data that reveal a Business Customer's Individual’s racial or ethnic origin, political opinions or membership in political parties or similar organizations, religious or philosophical beliefs, membership in a professional or trade organization or union, physical or mental health including any opinion thereof, disabilities, genetic code, addictions, sex life, criminal offenses, criminal records, proceedings with regard to criminal or unlawful behavior, or social security numbers issued by the government.
STAFF shall mean all Employees and other persons who Process BCI Data as part of their respective duties or responsibilities using Medeia Inc information technology systems or working primarily from Medeia Inc premises.
SUB-PROCESSOR shall mean any Data Processor engaged to Process BCI Data as a sub-processor.
THIRD PARTY shall mean any person or entity (e.g., an organization or government authority) outside Medeia Inc.
Third Party Sub- processor
THIRD PARTY SUB-PROCESSOR shall mean any Third Party engaged by Medeia Inc as a Sub-Processor.
Third Party Sub- processor Contract
THIRD PARTY SUB-PROCESSING CONTRACT shall mean the written contract entered into between the Medeia Inc Contracting Entity and the Third party Sub-processor pursuant to Article 7.1.
Interpretation of these rules:
I. Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time.
II. Headings are included for convenience only and are not to be used in construing any provision of these Rules.
III. If a word or phrase is defined, its other grammatical forms have a corresponding meaning.
IV. The female form shall include the male form.
V. The words “include,” “includes,” “including” and “e.g.”, and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa; and
VI. A reference to a document (including, without limitation, a reference to these Rules) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by these Rules or that other document.
ANNEX 2 - Data Security
Security Policy Overview
IT systems and information are vital assets, which are essential to Medeia Inc business. Medeia Inc has established an IT Security Framework, associated policies, and mandatory standards to protect the confidentiality, availability, and integrity of these assets.
The following provides an overview of those policies, procedures and processes that comprise the technical, physical and organizational measures employed by Medeia Inc to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.
Medeia Inc Security Risk & Compliance Policy Framework
This document establishes the framework of IT security, risk, and compliance management policies and guidelines issued by Medeia Inc IT department. Each Medeia Inc business is responsible for integrating the controls based on appropriate risk assessments, and evolving industry standards.
Medeia Inc Information Security Policy - UDN 1596
This document describes objectives, responsibilities and mandatory rules for information security. This policy is derived from the Medeia Inc General Business Principles and is fully endorsed by the Medeia Inc Board of Management. This policy, along with the IT Security Controls document (see below), comprises the mandatory Medeia Inc Information Security Policies.
Medeia Inc IT Security Controls
The Medeia Inc IT Security Controls document is an extension of the Medeia Inc Information Security Policy (UDN 1596) and describes the control objectives, and key controls, including policies, processes, and procedures, organizational structures and software and hardware functions. This document is a statement of responsibilities of both Medeia Inc management and staff in order to establish and maintain an organization-wide secure IT environment. The following are examples of data security controls, further detailed in the Security Controls document:
• Data Classification
• Asset Accountability
• Physical Security Controls
• Security Risk Assessment
• System Planning and Acceptance
• Segregation of Duties
• Software Patching and Updates
• Backup and Restore
• Network Management Controls, including Audit Logging, Remote User Access, etc.
• Media Handling and Security, including Procedures for Secure Destruction of Data, etc.
• Exchange of Information and Software (between company systems)
• Access Controls
• Third-party Access Controls
• Mobile Computing
• Electronic Messaging
• Information Security Incident Management
• Business Continuity Management
Medeia Inc IT Security Standards, Guidelines and Baselines:
Additional documents set forth further direction for implementation of specific, required controls, including:
• User Account and Password Management
• Internal Firewall Policy
• IT Security Disk Encryption Policy
• IT Security Risk Assessment
Information Classification and Access Control
Medeia Inc regards information required for the pursuance of its business as a corporate asset, which must be protected against loss and infringements of its integrity and confidentiality.Each organizational unit is required by policy to assess risks to identified information assets and periodically check the level of security through security reviews.
Information is classified into one of three categories, and each classification requires appropriate levels of security controls (e.g., encryption of data classified as secret or confidential).
Medeia Inc Security Policy further requires that security measures for processing and storage of information be proportionate to classification level, and each user is to be uniquely identifiable, via personal user identification.
Access controls exist to restrict access to systems and data to management authorized individuals for valid business purposes only. Medeia Inc Staff and Third Parties processing Medeia Inc information are accountable for the protection of that information and the applicable assets, per Medeia Inc Security Policies.
System Integrity and Availability
Each (Medeia Inc) organization is responsible for formal acceptance of the continuity of its business in the event of degradation or failure of the information infrastructure.
Back-up copies of critical business information and software must be taken regularly and tested to ensure recovery. Contingency procedures must be tested at least annually, and workability of the contingency plan must be formally verified.
Medeia Inc IT Security Controls require appropriate logging and monitoring to enable recording of IT security-relevant actions. IT Security features, service levels and management requirements of all network services must be identified and included in any network services agreement, whether these services are provided in-house or outsourced. Also, formal procedures are required for authorizing access to systems or applications, and all user access rights and privileges must be reviewed at regular intervals, at least quarterly.
All employees, contractors, and third party users of information systems and services are required to note and report any observed or suspected security weaknesses in systems or services, through management channels, to Medeia Inc CSIRT (Computer Security Incident Response Team) for investigation and follow-up, as appropriate. IT Security incidents that involve personal data or that may have privacy implications must also be reported to the applicable Privacy Officer.
Medeia Inc IT Security Policy requires Medeia Inc management to identify those areas requiring specific level of physical security, and access to those areas is provided only to authorized persons for authorized purposes. Medeia Inc secured areas employ various physical security safeguards, including closed circuit television monitoring, use of security badges (identity controlled access) and security guards stationed at entry and exit points. Visitors may only be provided access where authorized and are to be supervised at all times.
Medeia Inc has a standing Security Risk & Compliance organization (SRC) that regularly monitors the implemented security measures and implementation of new security requirements. Compliance with Medeia Inc IT Security Policies is accomplished through annual training, periodic reviews of local and organization-wide policies and procedures, and audits.