This Policy applies to the processing of personal information transferred from European Union Member States, and the United Kingdom for processing by Insight Rx, Inc. It applies to processing Insight Rx performs pursuant to contracts with controllers (also referred to herein as "customers") in accordance with the EU General Data Protection Regulation ("GDPR").
Insight Rx may revise this Policy from time to time, and if so we will post the revised Policy at www.insight-rx.com/gdpr with an effective date.
As used in this Policy, the following terms have the following meanings:·
In accordance with GDPR, data subjects must be provided notice of specified information in connection with the processing of their personal information. Depending upon Insight Rx's contracts with customers/controllers, some or all portions of the requisite notice may be provided to data subjects directly by the customers/controllers. To the extent that such notice is not provided by the customers/controllers, InsightRx shall provide such notice in accordance with Insight Rx's contracts with customers/controllers. If the personal data is collected from the data subject, the requisite notice must be provided before or at the time of data collection. This may include, for example, notice with respect to:
Insight Rx will only use personal information as required or permitted by applicable law. Insight Rx may use and disclose personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. This may include disclosures of personal information in response to lawful requests by public authorities, including disclosures for national security or law enforcement requirements.
All contracts with customers/controllers involving the processing of personal information transferred from EU shall be consistent with the GDPR and shall set forth InsightRx' obligations as a processor including that Insight Rx shall:
Data subjects may be asked to consent to use of their personal data unless such consent is not required.
Insight Rx offers data subjects the opportunity to choose whether their personal information is to be disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the data subject, unless the use or disclosure is otherwise permitted or required by applicable law. Insight Rx will not use or disclose personal information for any use or purpose not authorized by contract with a customer/controller or not described in the notice provided by the customer/controller or notice provided by Insight Rx without the data subject's express consent, unless otherwise permitted or required by applicable law.
This consent shall be freely given, specific, informed and an unambiguous indication of the data subject's wishes. The consent shall take the form of a statement or clear affirmative action, signifying agreement to the processing of personal data. The consent may take the form of ticking a box electronically or another statement or conduct which clearly indicates acceptance (Opt-In). Silence, pre-ticked boxes and inactivity does not constitute consent and will not be used by Insight Rx.
Once this consent has been given, data subjects may withdraw this consent to disclose personal information to a third party or use personal information fora purpose other than the purpose for which it was originally collected or subsequently authorized (Opt-Out). To withdraw consent, data subjects must submit a request to the Insight Rx Data Protection Officer at email@example.com. The withdrawal of consent will be processed without undue delay after receipt of the request. The withdrawal does not impact the lawfulness of any processing that occurred prior to the withdrawal.
Minors may not consent to use and disclosure of their personal data unless authorized by applicable law to consent to such use and disclosure on their own behalf. Adults may consent on behalf of children if they are the legal parent, guardian or personal representative in accordance with applicable laws. Individuals who consent to the use and disclosure of personal data represent that they have the legal authority to do so. We will delete any personal information collected based upon consent that we later know to be from a person not authorized to consent to the use and disclosure.
Should Insight Rx contract with another processor ("subcontractor") to provide any of the services Insight Rx provides to customers/controllers, Insight Rx will enter into a contract with that subcontractor that provides that the subcontractor may have access to personal information only for purposes of performing these tasks on our behalf. Insight Rx will obtain assurances from the subcontractor that the subcontractor will safeguard personal information consistently with this Privacy ShieldPolicy. Appropriate assurances will be obtained under contract obligating the subcontractor to provide at least the same level of protection as is required by the relevantPrivacy Shield Framework Principles, and other applicable law including GDPRand the Swiss DPA. Appropriate assurances will be obtained under contract obligating subcontractors to notify Insight Rx if the subcontractor can no longer provide these protections; and upon receipt of such notice, obligating Insight Rx to take reasonable steps to stop and remediate any unauthorized processing. InsightRx remains liable for the acts and omission of its subcontractors unlessInsight Rx proves that it is not responsible for the event giving rise to the damage.
Insight Rx follows generally accepted industry standards to protect personal information when it is stored or processed by Insight Rx. Insight Rx has implemented security safeguards to protect personal information regardless of the format in which it is held, against loss or theft, unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Insight Rx uses safeguards that are appropriate to the sensitivity of the information.InsightRx uses security measures to ensure that personal information is being appropriately protected including, by way of example, the following:
When disposing of or anonymizing personal information, Insight Rx will use appropriate security measures to ensure that personal information is not inappropriately used.
InsightRx will, on a regular basis, review and update security policies and controls as technology changes to ensure ongoing personal information security.
No method of electronic storage is 100% secure. Therefore, while Insight Rx strives to use commercially acceptable means to protect personal information, Insight Rx cannot guarantee its absolute security.
Personal information that is collected andprocessed by Insight Rx is limited to the information relevant for the purposeof the processing for which it wasoriginally collected or subsequently authorized by the data subject, unless theuse or disclosure is otherwise permitted or required by applicable law orunless the data subject has expressly consented to processing for otherpurposes. Insight Rx takes reasonablesteps to ensure that personal information is reliable for its intended use,accurate, complete, and current and shall do so for as long as Insight Rxretains the information.
The GDPR gives data subjects' certain rights with respect to their personal information. These rights include the right to access, correct, delete, restrict, and move personal information subject to certain requirements, restrictions, and exceptions. Data subjects may also object to the processing of personal data under certain circumstances. Data subjects also have certain rights with respect to automated decision-making including profiling. As set forth in this Policy, Insight Rx will provide data subjects their rights as required by law and subject to the requirements, restrictions and exceptions set forth in the GDPR. In order to request access, correction, deletion, restriction, or movement; or in order to object to processing or automated decision making, please email the Insight Rx Data Protection Officer at firstname.lastname@example.org. Insight Rx may need to verify your identity prior to granting any such request.
Upon request, Insight Rx will, as required by applicable law or if required by its contracts with customers/controllers, grant individuals reasonable access to personal information that it holds about them. Insight Rx will assist controllers in fulfilling requests by individuals for access to their information that is being processed by Insight Rx. A copy of personal data undergoing processing must be provided to data subjects by controllers without charge. Controllers may charge a reasonable fee for additional copies. An individual's right to access may be limited if it would adversely affect the rights and freedoms of others.
Upon request, Insight Rx will, as required by applicable law or if required by its contracts with customers/controllers, permit individuals to correct or amend information without undue delay that is demonstrated to be inaccurate or incomplete. As a processor, Insight Rx will assist controllers in fulfilling requests by individuals for correction or amendment. Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Upon request, Insight Rx will delete information without undue delay as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling requests by individuals for deletion.The right to have personal information deleted is subject to certain conditions, including but not limited to: the data is no longer necessary for the purposes for which it was collected or processed; the data subject withdraws consent when the processing is based on consent and there are no other legal grounds for processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; and the data have been unlawfully processed. Under certain circumstances under the law, data cannot be deleted, including but not limited to when processing is necessary for: public health, scientific research or statistical purposes, and defense of legal claims.
Upon request, Insight Rx will restrict the processing of information as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling requests by individual for restrictions. Restrictions may be requested, for example, when: the accuracy of the personal data is contested; the processing is unlawful and the data subject prefers restriction to deletion; the data is no longer needed for processing but is still needed for defense of legal claims; or there is a question whether the processing overrides the interests of the data subject.
Under certain circumstances, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the initial controller. If technically feasible, data subjects may have the data transmitted directly from one controller to another. The right to portability must not adversely affect the rights and freedom of others. As a processor, Insight Rx will assist controllers in movement of the data for these purposes as applicable.
Data subjects have the right to object to the processing of personal data under certain circumstances including the right to object at any time to the processing of personal data for direct marketing purposes. Once a data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.Data subjects also have certain rights with respect to automated decision-making including profiling. A data subject has the right, under certain circumstances, not to be subject to profiling which produces legal effects for the data subject. This right does not apply if the profiling is necessary to perform a contract between the data subject and controller, is authorized by law, or is based on the data subject's explicit consent.Upon request, Insight Rx will restrict the processing of information in accordance with the data subject's exercise of the right to object as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling such requests by individuals.
Insight Rx commits to resolve complaints about the collection or use of personal information. Individuals with inquiries or complaints regarding this Policy or regarding the use or disclosure of personal information should first contact Insight Rx Data Protection Officer at:
Data Protection Officer
Insight Rx will investigate and attempt to resolve complaints regarding use and disclosure of personal information by reference to the principles contained in this Policy. Insight Rx will respond to an individual who has submitted a complaint within 45 days.
Arbitration may be invoked for complaints that remain unresolved after: (1) submitting a complaint to Insight Rx does not resolve the complaint; (2) submitting a complaint to an independent dispute resolution mechanism does not resolve the complaint; and (3) allowing the U.S. Department ofCommerce an opportunity to resolve the issue. The remedies from this arbitration are limited to individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. No damages, costs, fees, or other remedies are available from this arbitration. Each party bears its own attorney's fees for arbitration.
Adherence by InsightRx to GDPR may, as permitted, be limited (a) to the extent required to respond to a legal obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and(c) to the extent expressly permitted by an applicable law, rule or regulation. This Policy may be amended from time to time, in a manner consistent with the requirements of the GDPR. Insight Rx will post any revised policy on the Site. We encourage visiting the Insight Rx website periodically to check for updates.