This Privacy Shield Policy ("Policy") describes NocimedTM, Inc.'s ("Nocimed") practices relating to the processing of Personal Data that Nocimed obtains from Data Subjects located in the European Union (EU) (hereinafter "EU Personal Data"). If there is any conflict between the policies in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
Nocimed complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Data Subjects in the European Union member countries (EU Data Subjects). Nocimed has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. All Nocimed employees who handle EU Personal Data are required to comply with the principles stated in this Policy. Nocimed employees who fail to abide by this Policy may be subject to disciplinary action. Nocimed is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.
Capitalized terms are defined in Section 11 of this Policy.
Nocimed will renew its EU-US Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, Nocimed will conduct a self-assessment to ensure that its attestations and assertions about its treatment of Individual Patient Personal Data are accurate and that the company has appropriately implemented these practices.
Physicians located in the EU may collect EU Personal Data from Individual Patients, subject to such Individual Patients' lawful consent, and may forward this Personal Data to Nocimed for the purpose of providing a NOCIGRAM-LSTM report. The following data may be obtained and transferred with an Individual Patient’s MRI/MRS record: MRI/MRS images, name, medical record number (MRN), height, weight, and age/birthdate. Per the Privacy Shield Principles, this information may be considered sensitive information.
The Physician, as data controller, determines the purposes of processing, what EU Personal Data is relevant for the purposes of processing, and the means of the processing of the EU Personal Data, and Nocimed will process said Personal Data on behalf of and under a written data processing contract concluded between Nocimed and the Physician. Nocimed will use the Personal Data transferred to Nocimed by the Physician for the sole purpose of analyzing the MRI/MRS data and providing a NOCIGRAMTM report.
Nocimed will take reasonable steps to help ensure the integrity of the EU Personal Data. Nocimed and the Physician will also take reasonable steps to ensure that the EU Personal Data is reliable for its intended use, accurate, complete, and current.
Nocimed may engage other data processors for carrying out specific processing activities with regard to the EU Personal Data transferred by the Physician only under appropriate data processing contracts, as required by the Privacy Shield Principles and mirroring the data protection obligations that Nocimed has accepted under the data processing contract concluded between Nocimed and the Physician. Such recipients must agree to abide by confidentiality obligations and treat EU Personal Data as required under the Privacy Shield Principles. Nocimed will take reasonable and appropriate steps to ensure that the data processors use the EU Personal Data in accordance with the agreement and consistent with the Privacy Shield Principles. Should Nocimed receive notice of any unauthorized processing by the data processors, Nocimed will take reasonable and appropriate steps to stop the unauthorized processing and remediate. Nocimed will maintain copies of all of its agreements with data processors to which it transfers EU Personal Data and provide copies of the agreements to the Department of Commerce upon request.
Nocimed may engage third party service providers (Data processors) that provide data storage and transfer services for the purposes of transmitting results (which include EU Personal Data) to the requesting physician. Nocimed may also engage third party service providers (data processors) to provide it with on-site and cloud data storage services.
Nocimed also may only disclose EU Personal Data for other purposes when a Data Subject has consented to or requested such disclosure. Nocimed is liable for appropriate onward transfers of Personal Data to third parties.
Please be aware that Nocimed may be required to disclose EU Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Nocimed takes reasonable and appropriate measures to protect EU Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In so doing, Nocimed takes into account the risks involved in its processing of the EU Personal Data and the nature of the EU Personal Data it receives.
If Nocimed discloses EU Personal Data to a third party, Nocimed will contractually require that third party to provide the same level of protections to the EU Personal Data as required by the Privacy Shield Principles. Nocimed requires valid SOC 2 Type II reports from all third parties that will transfer or maintain Personal Data.
Nocimed personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.
In compliance with the Privacy Shield Principles, Nocimed commits to resolve complaints about the privacy of EU Data Subjects and our collection or use of EU Personal Data. EU Data Subjects with inquiries or complaints regarding this Policy should first contact Nocimed at:
c/o Plug and Play Tech Center
370 Convention Way
Redwood City, CA 94063
Phone: (650) 241-1740
Fax: (650) 241-1728
Nocimed will respond to EU Data Subject inquiries within 45 days.
Nocimed has further committed to refer unresolved privacy complaints under the Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If EU Data Subjects do not receive timely acknowledgment of their complaint, or if their complaint is not satisfactorily addressed, they may visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Should an EU Data Subject complaint not be resolved through these channels, under limited circumstances, a binding arbitration option may be available to the EU Data Subject before a Privacy Shield Panel as further explained in the Privacy Shield Principles in order to address residual complaints not resolved by any other means. For additional information, please see Annex I of the Privacy Shield Principles https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. Nocimed will make employees aware of changes to this Policy either by posting to our intranet, through email, or other means. Nocimed will notify Physicians if Nocimed makes changes that materially affect the way Personal Data that was previously collected is handled.
"Individual Patient" means an individual patient in the EU for whom a prescribing Physician intends to receive a NOCIGRAMLSTM Report from Nocimed. This individual patient can also be considered a “Data Subject,” depending on the circumstance.
"Data Subject" means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
"Employee" means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Nocimed.
"Europe" or "European" refers to a country in the European Union.
"Personal Data" as defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual's name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available.
"Physician" means the healthcare provider providing or prescribing treatment to the patient in the EU; this includes a member of that prescribing healthcare provider’s team who is authorized to obtain consent.
"Sensitive Data" means Personal Data that discloses a Data Subject's medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
"Third Party" means any individual or entity that is neither Nocimed nor a Nocimed employee, agent, contractor, or representative.