GDPR Policy

Insight Rx, Inc.
GDPR Policy
Last Updated: 10/01/2018

Get a quote

Get a free quote now.

Thank you! Your message has been received!
Oops! Something went wrong while submitting the form.

This Policy applies to the processing of personal information transferred from European Union Member States, and the United Kingdom for processing by Insight Rx, Inc.  It applies to processing Insight Rx performs pursuant to contracts with controllers (also referred to herein as "customers") in accordance with the EU General Data Protection Regulation ("GDPR").

Insight Rx may revise this Policy from time to time, and if so we will post the revised Policy at www.insight-rx.com/gdpr with an effective date.

I. Definitions

As used in this Policy, the following terms have the following meanings:

  • "Anonymous information" means information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or is no longer identifiable.
  • "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • "Data portability" means the transmission of personal data in a structured, commonly used and machine-readable format from one controller to another.
  • "Data subject" means an identified or identifiable natural person.
  • "Health data" means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
  • "Personal data" or  "personal information" means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  • "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • "Recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party or not.
  • "Third party" means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or subcontractor of the controller or processor.

II. Notice

In accordance with GDPR, data subjects must be provided notice of specified information in connection with the processing of their personal information.  Depending upon Insight Rx's contracts with customers/controllers, some or all portions of the requisite notice may be provided to data subjects directly by the customers/controllers. To the extent that such notice is not provided by the customers/controllers, InsightRx shall provide such notice in accordance with Insight Rx's contracts with customers/controllers.  If the personal data is collected from the data subject, the requisite notice must be provided before or at the time of data collection.  This may include, for example, notice with respect to:

  • The type of personal information collected.
  • The purpose for the collection and processing of the personal information.
  • The categories of personal data concerned
  • The type or identity of recipients to whom the personal information is disclosed.
  • That the customer/controller intends to transfer personal data to Insight Rx in the United States for processing and that Insight Rx complies with GDPR
  • The requirement to disclose personal information in response to lawful requests by public authorities including to meet national security or law enforcement requirements.
  • The period for which the personal data will be stored or the criteria used todetermine that period.
  • An explanation of the data subject's rights to request that the controller provide access to, correction of, or erasure of personal data.
  • Contact information for the Insight Rx Data Protection Officer.
  • The process for submitting complaints, the right to independent dispute resolution, and the opportunity for arbitration.  

Insight Rx will only use personal information as required or permitted by applicable law.  Insight Rx may use and disclose personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. This may include disclosures of personal information in response to lawful requests by public authorities, including disclosures for national security or law enforcement requirements.

III. Processing contracts

All contracts with customers/controllers involving the processing of personal information transferred from EU shall be consistent with the GDPR and shall set forth InsightRx' obligations as a processor including that Insight Rx shall:

  • Only process personal data upon instruction from the controller unless otherwiserequired to do so by applicable law.
  • Ensure that individuals processing the data have committed or are required to treat the data confidentially.
  • Implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access.
  • Obtain authorization from the controller to engage subcontractors, require subcontractors to agree to the same data protections agreed to by Insight Rx, and require subcontractors to notify Insight Rx if the subcontractor can no longer meet these obligations and upon receipt of such notice take reasonable steps to stop and remediate any unauthorized processing.
  • Assist the controller insofar as possible in fulfilling the controller's obligations to respond to requests by data subjects exercising their rights including the data subjects' rights to access, correction, deletion, restriction of processing, data portability, and objection; except to the extent such rights may be limited by law including laws designed to safeguard national security, defense, public security, criminal proceedings, and judicial proceedings.
  • Assist the controller insofar as possible in fulfilling the controller's obligations to provide notice in the case of a personal data breach.
  • At the choice of the controller, delete or return all personal data to the controller after the end of the provision of services and delete all copies unless otherwise required by law.
  • Make information available to the controller necessary to demonstrate the controller's compliance with applicable law.
  • Allow audits and inspections by the controller to demonstrate compliance except as otherwise required by applicable law.  

IV. Choice and Consent

Data subjects may be asked to consent to use of their personal data unless such consent is not required.

Insight Rx offers data subjects the opportunity to choose whether their personal information is to be disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the data subject, unless the use or disclosure is otherwise permitted or required by applicable law.   Insight Rx will not use or disclose personal information for any use or purpose not authorized by contract with a customer/controller or not described in the notice provided by the customer/controller or notice provided by Insight Rx without the data subject's express consent, unless otherwise permitted or required by applicable law.

This consent shall be freely given, specific, informed and an unambiguous indication of the data subject's wishes.  The consent shall take the form of a statement or clear affirmative action, signifying agreement to the processing of personal data. The consent may take the form of ticking a box electronically or another statement or conduct which clearly indicates acceptance (Opt-In).  Silence, pre-ticked boxes and inactivity does not constitute consent and will not be used by Insight Rx.  

Once this consent has been given, data subjects may withdraw this consent to disclose personal information to a third party or use personal information fora purpose other than the purpose for which it was originally collected or subsequently authorized (Opt-Out). To withdraw consent, data subjects must submit a request to the Insight Rx Data Protection Officer at support@insight-rx.com.  The withdrawal of consent will be processed without undue delay after receipt of the request.  The withdrawal does not impact the lawfulness of any processing that occurred prior to the withdrawal.

Minors may not consent to use and disclosure of their personal data unless authorized by applicable law to consent to such use and disclosure on their own behalf. Adults may consent on behalf of children if they are the legal parent, guardian or personal representative in accordance with applicable laws.  Individuals who consent to the use and disclosure of personal data represent that they have the legal authority to do so.  We will delete any personal information collected based upon consent that we later know to be from a person not authorized to consent to the use and disclosure.

V. Onward transfers to subcontractors

Should Insight Rx contract with another processor ("subcontractor") to provide any of the services Insight Rx provides to customers/controllers, Insight Rx will enter into a contract with that subcontractor that provides that the subcontractor may have access to personal information only for purposes of performing these tasks on our behalf. Insight Rx will obtain assurances from the subcontractor that the subcontractor will safeguard personal information consistently with this Privacy ShieldPolicy. Appropriate assurances will be obtained under contract obligating the subcontractor to provide at least the same level of protection as is required by the relevantPrivacy Shield Framework Principles, and other applicable law including GDPRand the Swiss DPA. Appropriate assurances will be obtained under contract obligating subcontractors to notify Insight Rx if the subcontractor can no longer provide these protections; and upon receipt of such notice, obligating Insight Rx to take reasonable steps to stop and remediate any unauthorized processing.  InsightRx remains liable for the acts and omission of its subcontractors unlessInsight Rx proves that it is not responsible for the event giving rise to the damage.

VI. Security

Insight Rx follows generally accepted industry standards to protect personal information when it is stored or processed by Insight Rx. Insight Rx has implemented security safeguards to protect personal information regardless of the format in which it is held, against loss or theft, unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Insight Rx uses safeguards that are appropriate to the sensitivity of the information.InsightRx uses security measures to ensure that personal information is being appropriately protected including, by way of example, the following:

  • Physical measures such as limiting access to physical space that houses the system/application and work spaces to authorized personnel, restricted areas are locked, the presence of visitors is recorded, and visitors are escorted.
  • Organizational measures such as limiting workforce access to the minimum necessary to accomplish the intended purpose, and requiring subcontractors to provide comparable security measures; and
  • Technological measures such as the use of strict logical access controls, strong password controls, automatic log off, encryption, and firewalls.

When disposing of or anonymizing personal information, Insight Rx will use appropriate security measures to ensure that personal information is not inappropriately used.

InsightRx will, on a regular basis, review and update security policies and controls as technology changes to ensure ongoing personal information security.

No method of electronic storage is 100% secure. Therefore, while Insight Rx strives to use commercially acceptable means to protect personal information, Insight Rx cannot guarantee its absolute security.

VII. Data Integrity and Purpose Limitation

Personal information that is collected and processed by Insight Rx is limited to the information relevant for the purpose of the processing for which it was originally collected or subsequently authorized by the data subject, unless the use or disclosure is otherwise permitted or required by applicable law or unless the data subject has expressly consented to processing for other purposes.  Insight Rx takes reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current and shall do so for as long as Insight Rx retains the information.

VIII. Individual Rights

The GDPR gives data subjects' certain rights with respect to their personal information. These rights include the right to access, correct, delete, restrict, and move personal information subject to certain requirements, restrictions, and exceptions. Data subjects may also object to the processing of personal data under certain circumstances. Data subjects also have certain rights with respect to automated decision-making including profiling. As set forth in this Policy, Insight Rx will provide data subjects their rights as required by law and subject to the requirements, restrictions and exceptions set forth in the GDPR. In order to request access, correction, deletion, restriction, or movement; or in order to object to processing or automated decision making, please email the Insight Rx Data Protection Officer at support@insight-rx.com.  Insight Rx may need to verify your identity prior to granting any such request.

A. Access

Upon request, Insight Rx will, as required by applicable law or if required by its contracts with customers/controllers, grant individuals reasonable access to personal information that it holds about them. Insight Rx will assist controllers in fulfilling requests by individuals for access to their information that is being processed by Insight Rx. A copy of personal data undergoing processing must be provided to data subjects by controllers without charge. Controllers may charge a reasonable fee for additional copies. An individual's right to access may be limited if it would adversely affect the rights and freedoms of others.

B. Correction

Upon request, Insight Rx will, as required by applicable law or if required by its contracts with customers/controllers, permit individuals to correct or amend information without undue delay that is demonstrated to be inaccurate or incomplete. As a processor, Insight Rx will assist controllers in fulfilling requests by individuals for correction or amendment. Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

C. Deletion

Upon request, Insight Rx will delete information without undue delay as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling requests by individuals for deletion.The right to have personal information deleted is subject to certain conditions, including but not limited to: the data is no longer necessary for the purposes for which it was collected or processed; the data subject withdraws consent when the processing is based on consent and there are no other legal grounds for processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; and the data have been unlawfully processed. Under certain circumstances under the law, data cannot be deleted, including but not limited to when processing is necessary for: public health, scientific research or statistical purposes, and defense of legal claims.

D. Restriction

Upon request, Insight Rx will restrict the processing of information as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling requests by individual for restrictions. Restrictions may be requested, for example, when: the accuracy of the personal data is contested; the processing is unlawful and the data subject prefers restriction to deletion; the data is no longer needed for processing but is still needed for defense of legal claims; or there is a question whether the processing overrides the interests of the data subject.

E. Data Portability

Under certain circumstances, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the initial controller. If technically feasible, data subjects may have the data transmitted directly from one controller to another. The right to portability must not adversely affect the rights and freedom of others. As a processor, Insight Rx will assist controllers in movement of the data for these purposes as applicable.

F. Objection

Data subjects have the right to object to the processing of personal data under certain circumstances including the right to object at any time to the processing of personal data for direct marketing purposes. Once a data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes. Data subjects also have certain rights with respect to automated decision-making including profiling. A data subject has the right, under certain circumstances, not to be subject to profiling which produces legal effects for the data subject. This right does not apply if the profiling is necessary to perform a contract between the data subject and controller, is authorized by law, or is based on the data subject's explicit consent.Upon request, Insight Rx will restrict the processing of information in accordance with the data subject's exercise of the right to object as required by applicable law or if required by its contracts with customers/controllers. As a processor, Insight Rx will assist controllers in fulfilling such requests by individuals.

IX. Recourse, Enforcement, Liability

Insight Rx commits to resolve complaints about the collection or use of personal information. Individuals with inquiries or complaints regarding this Policy or regarding the use or disclosure of personal information should first contact Insight Rx Data Protection Officer at:

Data Protection Officer
InsightRX, Inc.
support@insight-rx.com.

Insight Rx will investigate and attempt to resolve complaints regarding use and disclosure of personal information by reference to the principles contained in this Policy. Insight Rx will respond to an individual who has submitted a complaint within 45 days.

Arbitration
Arbitration may be invoked for complaints that remain unresolved after: (1) submitting a complaint to Insight Rx does not resolve the complaint; (2) submitting a complaint to an independent dispute resolution mechanism does not resolve the complaint; and (3) allowing the U.S. Department ofCommerce an opportunity to resolve the issue. The remedies from this arbitration are limited to individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual.  No damages, costs, fees, or other remedies are available from this arbitration.  Each party bears its own attorney's fees for arbitration.

X. Limitation and Amendments

Adherence by InsightRx to GDPR may, as permitted, be limited (a) to the extent required to respond to a legal obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and(c) to the extent expressly permitted by an applicable law, rule or regulation. This Policy may be amended from time to time, in a manner consistent with the requirements of the GDPR. Insight Rx will post any revised policy on the Site. We encourage visiting the Insight Rx website periodically to check for updates.