Effective Date: October 10, 2023
GeneCentric Therapeutics, Inc. (“GeneCentric”, “we”, “our” or “us“) has certified certain of its services, for which we act as a service provider for customers in the European Economic Area (“EEA”), the United Kingdom (and Gibraltar), and Switzerland.
This Data Privacy Framework Notice (“Notice“) describes our standards and procedures for handling Personal Information transferred from the EEA, the United Kingdom (and Gibraltar), and Switzerland to the United States in accordance with GeneCentric’s obligations under the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF (collectively, the “DPF”).
For the purpose of this Notice, “Personal Information” means any data relating to an identified or identifiable individual that we process in connection with the services covered by this Notice, and “process” or “processing” means any operation performed on Personal Information, such as, for example, collection, use, management, consultation or disclosure.
GENECENTRIC’S PARTICIPATION IN THE EU-U.S., UK EXTENSION AND SWISS-U.S. DATA PRIVACY FRAMEWORKS
GeneCentric provides bioinformatic analysis services to customers (typically pharmaceutical and biotechnology companies) in the EEA, the United Kingdom, and Switzerland that involve receiving and processing Personal Information on those customers’ behalf. This Notice, and GeneCentric’s DPF certifications, apply to these services.
GeneCentric complies with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union, United Kingdom, and Switzerland to the United States in connection with its performance of bioinformatic analysis services. GeneCentric has certified to the Department of Commerce that it adheres to the DPF with respect to these bioinformatic analysis services. If there is any conflict between the terms in this Notice and the Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
GeneCentric commits to comply with the Principles with respect to all Personal Information received from the EEA, United Kingdom, and Switzerland in reliance on the DPF Frameworks.
GeneCentric is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) with respect to its compliance with the DPF Frameworks.
THE TYPES OF PERSONAL INFORMATION WE RECEIVE AND THE PURPOSES FOR WHICH WE USE IT
When performing our bioinformatic analysis services, GeneCentric receives Personal Information from our customers that includes personal information pertaining to clinical research participants, including genetic information associated with human tissue samples and associated clinical data, who are involved clinical research conducted by our customers. This information may include sensitive information about those individuals’ health status, medical assessments, and test results. We may also receive Personal Information regarding study investigators and their staff, as well as medical and healthcare professionals, who are involved in this clinical research. We use this information to perform our bioinformatic analysis services. In performing these services, GeneCentric acts as a data processor for the customer (who acts as the data controller), or as a sub-processor for the customer’s other service providers, and acts pursuant to the customer’s instructions and in accordance with contractual agreements between GeneCentric and the customer or the customer’s other service providers.
We may also receive basic business contact information pertaining to customer personnel with whom we interact to perform our bioinformatic analysis services. This information may include names, business email addresses, mailing addresses, and business telephone numbers. We use this information to coordinate the performance of our services and to manage our business relationships with our customers.
DISCLOSURES OF PERSONAL INFORMATION TO THIRD PARTIES
GeneCentric may disclose the Personal Information we receive in reliance on the DPF to (a) third-party service providers who act as our agents to assist in our performance of our services; and (b) newly-formed or acquiring organizations in the event of a merger, sale, or transfer of some or all of our business.
GeneCentric is responsible for our third-party service providers’ compliance with these obligations and shall remain liable under the Principles if they process Personal Information that we have received under the DPF in a manner inconsistent with the Principles.
GeneCentric may also disclose Personal Information when required by law or legal process, such as in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
ACCESS AND CHOICE
Individuals in the EEA, the United Kingdom, and Switzerland have a right to access Personal Information about them, and to limit the use and disclosure of their Personal Information. As part of its certification to the DPF Frameworks, GeneCentric is committed to respecting those rights.
GeneCentric acts as service provider to customers in the EEA, the United Kingdom, and Switzerland with respect to Personal Information that we process in connection with our bioinformatic analysis services and we are subject to strict contractual limitations on our ability to disclose that Personal Information to third parties or to use that Personal Information for purposes other than our performance of those services. For these reasons, GeneCentric assumes that the customers from whom it receives that Personal Information will provide individuals a means to access any Personal Information about them, and to request that their Personal Information be corrected, amended, or deleted. GeneCentric further assumes that customers will provide notice and obtain any necessary consent from these individuals to transfer their Personal Information to us and for us to process their Personal Information consistent with this Notice and our agreements with those customers or their service providers.
If you are an individual who believes your Personal Information is included in Personal Information that we process on behalf of a customer in the EEA, the United Kingdom, or Switzerland and would like to exercise your rights of access or choice, please contact that customer directly. Alternatively, you may contact GeneCentric in accordance with the “Questions or Complaints” section of this Notice, in which case you should provide the name of the customer in the EEA, United Kingdom, or Switzerland who acts as the controller for your Personal Information. We will refer your request to that customer and will support them as needed in responding to your request.
Customer personnel whose Personal Information we have collected in connection with our performance of services on behalf of their employer may request to access or correct any Personal Information that we have collected by contacting us using the contact information indicated below. In the event this Personal Information is (i) to be used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized, or (ii) transferred to a third party acting as a data controller, these individuals will be given, where appropriate, an opportunity to opt out of having their Personal Information so used or transferred.
QUESTIONS OR COMPLAINTS
GeneCentric commits to resolve complaints about our handling of Personal Information we receive in reliance on the DPF Frameworks. Individuals in the EEA, the United Kingdom, and Switzerland with questions or complaints regarding this Notice or our privacy practices should first contact GeneCentric:
- By email at [email protected]; or
- By postal mailing to GeneCentric Therapeutics, Attn: Jeff Burdine, PO Box 12838, NC 27709, USA
If an issue cannot be resolved by GeneCentric, you may submit a complaint to JAMS, an alternative dispute resolution provider that we have designated to provide, at no cost to you, an independent third-party dispute resolution option based in the U.S. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit. https://www.jamsadr.com/dpf-dispute-resolution
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance that are not resolved by any of the other DPF mechanisms. For additional information about the arbitration process please see the additional information available here for EU/EEA and UK (and Gibraltar) individuals and here for Swiss individuals.
AMENDMENT This Notice may be amended consistent with the requirements of the DPF. When we update this Notice, we will also revise the “Last Updated” date at the top of this document.