Last Reviewed: April 23, 2019
This Privacy Shield Policy (“Policy”) describes Nocimed™, Inc.’s (“Nocimed”) practices relating to the processing of Personal Data that Nocimed obtains from Data Subjects located in the European Union (EU) (hereinafter “EU Personal Data”). If there is any conflict between the policies in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Nocimed is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
Capitalized terms are defined in Section 11 of this Policy.
Nocimed will renew its EU-US Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, Nocimed will conduct a self-assessment to ensure that its attestations and assertions about its treatment of Individual Patient Personal Data are accurate and that the company has appropriately implemented these practices.
Collection and Use of Personal Data, Data Integrity, and Purpose
Physicians located in the EU may collect EU Personal Data from Individual Patients, subject to such Individual Patients’ lawful consent, and may forward this Personal Data to Nocimed for the purpose of providing a NOCIGRAM-LS™ report. The following data may be obtained and transferred with an Individual Patient’s MRI/MRS record: MRI/MRS images, name, medical record number (MRN), height, weight, and age/birthdate. Per the Privacy Shield Principles, this information may be considered sensitive information.
The Physician, as data controller, determines the purposes of processing, what EU Personal Data is relevant for the purposes of processing, and the means of the processing of the EU Personal Data, and Nocimed will process said Personal Data on behalf of and under a written data processing contract concluded between Nocimed and the Physician. Nocimed will use the Personal Data transferred to Nocimed by the Physician for the sole purpose of analyzing the MRI/MRS data and providing a NOCIGRAM-LS™ report.
Nocimed will take reasonable steps to help ensure the integrity of the EU Personal Data. Nocimed and the Physician will also take reasonable steps to ensure that the EU Personal Data is reliable for its intended use, accurate, complete, and current.
Disclosures/Onward Transfers of Personal Data
Nocimed may engage other data processors for carrying out specific processing activities with regard to the EU Personal Data transferred by the Physician only under appropriate data processing contracts, as required by the Privacy Shield Principles and mirroring the data protection obligations that Nocimed has accepted under the data processing contract concluded between Nocimed and the Physician. Such recipients must agree to abide by confidentiality obligations and treat EU Personal Data as required under the Privacy Shield Principles. Nocimed will take reasonable and appropriate steps to ensure that the data processors use the EU Personal Data in accordance with the agreement and consistent with the Privacy Shield Principles. Should Nocimed receive notice of any unauthorized processing by the data processors, Nocimed will take reasonable and appropriate steps to stop the unauthorized processing and remediate. Nocimed will maintain copies of all of its agreements with data processors to which it transfers EU Personal Data and provide copies of the agreements to the Department of Commerce upon request.
Nocimed may engage third party service providers (data processors) that provide data storage and transfer services for the purposes of transmitting results (which include EU Personal Data) to the requesting Physician. Nocimed may also engage third party service providers (data processors) to provide it with on-site and cloud data storage services.
Nocimed also may only disclose EU Personal Data for other purposes when a Data Subject has consented to or requested such disclosure. Nocimed is liable for appropriate onward transfers of Personal Data to third parties.
Please be aware that Nocimed may be required to disclose EU Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Nocimed takes reasonable and appropriate measures to protect EU Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In so doing, Nocimed takes into account the risks involved in its processing of the EU Personal Data and the nature of the EU Personal Data it receives.
If Nocimed discloses EU Personal Data to a third party, Nocimed will contractually require that third party to provide the same level of protections to the EU Personal Data as required by the Privacy Shield Principles. Nocimed requires valid SOC 2 Type II reports from all third parties that will transfer or maintain Personal Data.
Accessing Personal Data
Nocimed personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.
Right to Access, Change, or Delete Personal Data
We will not share your personal data with third parties other than our agents, or use it for a purpose other than for which it was originally collected or subsequently authorized, without your prior written consent.
Questions and Complaints
In compliance with the Privacy Shield Principles, Nocimed commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Nocimed at:
951 Mariners Island Blvd #300
San Mateo, CA 94404
Phone: (650) 241-1741
Collegium Auditores GmbH
Tel: (+49) 2241 9575935
Nocimed’s General Data Protection Regulation Representative can be contacted at:
GDPR AV Services UG (limited liability)
48153 Münster, Germany
Tel: (+49) 251 93266180
Nocimed will respond to EU Data Subject inquiries without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the inquiries.
Nocimed has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Changes to This Policy
This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. Nocimed will make employees aware of changes to this Policy either by posting to our intranet, through email, or other means. Nocimed will notify Physicians if Nocimed makes changes that materially affect the way Personal Data that was previously collected is handled.
“Individual Patient” means an individual patient in the EU for whom a prescribing Physician intends to receive a NOCIGRAM-LS™ Report from Nocimed. This individual patient can also be considered a “Data Subject,” depending on the circumstance.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Nocimed.
“Europe” or “European” refers to a country in the European Union.
“Personal Data” as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”) means data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include data that is de-identified, anonymous, or publicly available.
“Physician” means the healthcare provider providing or prescribing treatment to the patient in the EU; this includes a member of that prescribing healthcare provider’s team who is authorized to obtain consent.
“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
“Third Party” means any individual or entity that is neither Nocimed nor a Nocimed employee, agent, contractor, or representative.