NPP GDPR

NOTICE OF PRIVACY PRACTICES UNDER GDPR FOR EU AND SWISS RESIDENTS

This section applies to individuals using or accessing our Website while located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland at the time of data collection.

Privacy Rights for the European Economic Area, the United Kingdom, and Switzerland

If you are in the European Economic Area, the United Kingdom, or Switzerland you have certain data protection rights under the General Data Protection Regulation (GDPR); these include the following:

Your right to be informed. This Privacy Policy, together with our Cookie Policy, tells you about the ways in which we use your Personal Data.
Your right of access. You have the right to ask us for copies of your Personal Data. There are some exemptions and limitations in what we can provide in response to such requests, which means you may not always receive all the Personal Data we process. We will inform you if any exemption or limitation applies and what its impact is.
Your right to correction. You have the right to ask us to correct Personal Data you think is inaccurate. You also have the right to ask us to complete your Personal Data you think is incomplete.
Your right to erasure. You have the right to ask us to erase your Personal Data in certain circumstances. Where it is appropriate that we comply, your request will be fully actioned within 30 days. Please note that we may not always be able to remove your Personal Data from ongoing or completed research studies. We may also retain some account information related to purchase and service history. This enables us to provide ongoing support regarding prior purchases and services, and is also necessary for accounting, audit and compliance purposes. We may also retain limited backup copies and archival files of your Personal Data to satisfy our state and federal legal obligations or regulatory requirements, including those set by the Clinical Laboratory Improvement Amendments (CLIA).
Your right to restriction of processing. You have the right to ask us to restrict the processing of your Personal Data in certain circumstances. For example, you can request that we limit the way in which we use your “Personal Data” (as defined by the GDPR) if you are concerned about the accuracy of the data or how it is being used.
Your right to object to processing. You have the right to object to processing of your Personal Data in certain circumstances. Where it is appropriate that we comply with your request, we will stop processing your information for the use you have objected to.
Your right to data portability. You have the right to receive your Personal Data which you have provided to us. You also have the right to have us send your Personal Data to another organization where our lawful basis for the processing is your consent, or where the processing is necessary for the performance of an agreement and the processing is carried out by automated means.

PERSONAL DATA WE COLLECT

How We Obtain Personal Data

ArcherDX, as a healthcare provider, only obtains and uses Personal Data that we actually need in order to perform and improve our healthcare services. We obtain your Personal Data in a number of ways:

Patients

You provide it to us when you register for an account to receive information about our testing.
You provide it to us when you contact us via email, fax, or telephone.
Your physicians provide your Personal Data to us in the form of a test requisition report and other healthcare reports in order for us to perform laboratory testing for you.
When you visit our websites, we automatically log some basic information like how you got to the site, where you navigated within it, and what features and settings you use. We use this information to improve our websites and services.
We generate a test results report which we provide to your physicians and to you when you directly request this information.

Physicians

You provide Personal Data to us when you register for an account to receive information about our testing.
You provide it to us when you contact us via email, fax, or telephone.
You provide it to us when we visit with you in person.
When you visit our websites, we automatically log some basic information like how you got to the site, where you navigated within it, and what features and settings you use. We use this information to improve our websites and services.
We generate a test results report for your test orders and provide these reports to you for your patient treatment purposes.

Employees

Collection of Personal Data for EU, UK and Swiss employees is governed by ArcherDX’s EU Employee Privacy Notice which is provided to these employees at time of hire. If you are an EU, UK or Swiss employee and have any questions, please contact HR or privacy@archerdx.com

What Personal Data Is Collected

The Personal Data we collect includes contact information about you, such as your name, address, email address, telephone number and identification numbers used by your physicians.

If you are a patient, we also obtain information concerning your health, such as your current diagnosis, types of treatment for your cancer, what other tests have been performed and other pathology data needed to perform our testing services.

When we provide a test results report, it will include the patient’s Personal Data and will include genetic information regarding possible mutations in the patient’s cancer tumor.

If you visit our product website, limited cookies will be used to help us improve, promote and protect our services. These cookies track your IP address, your submissions to us and your interactions with our web content. The information is used by us to provide a better web experience for you and to keep information you have given to us as accurate as possible.

PROCESSING PERSONAL DATA

How We Process Personal Data

Personal Data is processed in order to:

Maintain your account through our patient and physician portals.
Maintain a patient’s medical record per applicable regulations.
Contact physicians regarding patient test results and any information that may be missing from a test order.
Obtain payment for our services.
Contact physicians to provide educational information about our services.
Perform testing services as requested by physicians through our network systems.
Respond to any direct inquiries from you.
We may keep a record of your payment if you paid ArcherDX directly. This record will only include your name and payment amount. Payments made by patients are made through a third-party payment service; and therefore, we do not obtain, maintain or store any credit card information on ArcherDX systems.
After pseudonymization or anonymization of Personal Data, conduct scientific research to improve testing services.

Lawful Basis for Processing Personal Data

We process Personal Data as mentioned above in order to perform our laboratory testing services for patients. We are using your Personal Data in ways that you would expect:

Patients for treatment purposes. In order to perform testing and bill for our services, we need accurate and current contact information and medical information. Test results depend on certain Personal Data related to health and genetic data provided through the patient’s blood draw. ArcherDX has no direct contact with a patient whenever a test is ordered by a physician. Therefore, the patient’s consent for testing is explained by and given to the patient by his/her physician.

If you have registered for an online account with us, we also need Personal Data from you to maintain your account up-to-date and to communicate with you.

We legitimately need all the Personal Data we obtain in order to perform our testing services, maintain accounts and records, and provide information to physicians for use in patient treatment.

Data for scientific research purposes. Pseudonymized and anonymized data is used for scientific research related solely to improving our testing services and to provide medical education to physicians. For most studies, we do not have personally identifiable data related to the study subjects. However, we may conduct data research on data where we have removed identifiable information. Therefore, we would not be able to identify the data to any specific patient. This type of research, even if in the hands of a wrong-doer, has a very low risk of patient re-identification.

Physicians for contact purposes. Physician contact information is maintained in order to communicate directly with treating physicians about their patients. We also use Personal Data to provide medical education information to physicians. We might also contact physicians regarding contractual services such as advisory boards and presentations.

Sharing Personal Data with Third Parties

Under some circumstances we are required to provide your Personal Data to others. We will disclose Personal Data if it’s necessary to comply with a legal obligation, prevent fraud, enforce an agreement, or for public safety. We may be required by law to preserve or disclose your Personal Data and service data to comply with any applicable laws, regulations, legal process or governmental request, including to meet national security requirements.

ArcherDX does not share your Personal Data except as needed to provide its healthcare services. Therefore, your data may be shared with your physicians, your authorized representatives, internally with ArcherDX’s medical team and with researchers after pseudonymization or anonymization.

We never sell your identifiable Personal Data or share it with marketers. However, some of our service providers may have incidental contact with your Personal Data when they perform contracted services for us, such as our billing vendor. These contractors will be obligated to maintain privacy and security of Personal Data they might view. All vendors who may handle Personal Data have had a security assessment to ensure that they have the capability of maintaining appropriate security measures.

Storing Personal Data

We store your Personal Data using state-of-the-art technical tools, such as data encryption which encrypts data while at rest and in transit, access control to all systems, sharing only the minimum amount necessary with the minimum number of employees (and trained contractors) to perform our services, password protection, constant security monitoring and recovery mechanisms for data loss.

We store your Personal Data for as long as necessary to run your test, ensure that the results are complete and accurate and within clinical laboratory regulations which currently require medical record storage for seven years. Additionally, pseudonymized and anonymized data may be stored for additional years if necessary for research record keeping and regulatory submissions.

Physician contact information is kept until they are no longer customers. Physicians who stop ordering tests will have their Personal Data removed from our systems.

YOUR RIGHTS

If you are in the EEA, you have the following rights with respect to information that ArcherDX holds about you.

Right to access. You have the right to access (and obtain a copy of, if required) the categories of Personal Data that we hold about you, including the information’s source, purpose and period of processing, and the persons to whom the information is shared
Right to rectification. You have the right to update the information we hold about you or to rectify any inaccuracies. Based on the purpose for which we use your information, you can instruct us to add supplemental information about you in our database.
Right to erasure. You have the right to request that we delete your Personal Data in certain circumstances, such as when it is no longer necessary for the purpose for which it was originally collected.
Right to restriction of processing. You may also have the right to request us to restrict the use of your information in certain circumstances, such as when you have objected to our use of your data. However, we can verify whether we have overriding legitimate grounds to use it.
Right to data portability. You have the right to transfer your information to a third party in a structured, commonly used and machine-readable format, in circumstances where the information is processed with your consent or by automated means.
Right to object. You have the right to object to the use of your information in certain circumstances, such as the use of your Personal Data for direct marketing.
Right to complain. You have the right to complain to the appropriate supervisory authority if you have any grievance against the way we collect, use or share your information. This right may not be available to you if there is no supervisory authority dealing with data protection in your country.

CONTACT INFORMATION

ArcherDX has appointed a Data Protection Officer to oversee our management of your Personal Data in accordance with this Privacy Policy. If you have any questions or concerns about our privacy practices with respect to your Personal Data, you can reach out to our Data Protection Officer by sending an email to dpo@archerdx.com or by writing to Data Protection Officer, ArcherDX, 2477 55th Street, Suite 202, Boulder, CO, United States 80301.