Privacy Shield Certification:
The Privacy Shield includes two frameworks, a European Union/United States program implemented to ensure the protection of personal information (PI) transferred from European Union Member States to the U.S and a similar Swiss-U.S. program for similar transfers of PI from Switzerland to the U.S. The types of PI protected under the Privacy Shield frameworks include Human Resources (HR) PI for employees and Non-HR PI. An organization in the U.S. intending to receive PI from E.U. Members or Switzerland can self-certify to the respective Privacy Shields; this is recognized by E.U. Members and Switzerland as meeting the minimum requirements of data protection for PI transfers from any of those jurisdictions to the U.S. Caris MPI, Inc. d/b/a Caris Life Sciences and its affiliates and subsidiaries (collectively, “Caris”) comply with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks, and commit to adhering to the seven Privacy Shield Principles when receiving Non-HR and HR PI from E.U. Members or Switzerland. For Caris’ Privacy Shield participation, Caris is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Information on the Privacy Shield program and a list of participants may be found at privacyshield.gov. Among the requirements of the Principles, Caris will adhere to the following:
- Caris will only use the select Non-HR PI and HR PI (such as name, address, date of birth, gender, and certain health information) Caris collects for the purposes of providing Caris’ products and services or other purposes consistent with your authorization or consent. Caris will notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland of Caris’ self-certification to the Privacy Shield, including what steps Caris takes to protect such PI. Caris will also notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland that Caris may be required to disclose PI in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Caris will provide the same types of notice to employees whose HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland;
- Caris will provide patients & employees whose PI will be transferred to the U.S. from E.U. Members and/or Switzerland an opportunity to opt into and/or out of certain disclosures, including transfer of PI to a third party. If any E.U. Member/Swiss PI is transferred to a third party, such third party will also adhere to the Principles and enter into any required contractual arrangements as provided in the Privacy Shield. Caris remains liable under the Privacy Shield Principles if Caris’ agents process Non-HR PI or HR PI inconsistent with the principles, unless Caris is not responsible for the event giving rise to the damage;
- Caris will ensure that patients & employees whose PI has been transferred to the U.S. from E.U. Members and/or Switzerland have the opportunity to review and amend their own PI (where it remains PI, i.e., in identifiable form) by contacting Caris at legal@carisls.comor in writing at Caris Life Sciences, Sarah Toelle – Privacy Officer, 750 West John Carpenter Freeway, Suite 800, Irving, Texas 75039;
- Caris will adhere to an independent recourse mechanism for cases of complaints regarding the handling of Non-HR PI transferred to the U.S. from E.U. Members and/or Switzerland. Complaints may first be directed to Caris at the contact information provided below. Should your complaint fail to be resolved, you may file a complaint, free of charge, with the US-based independent recourse mechanism JAMS at https://www.jamsadr.com/eu-us-privacy-shield. Should your complaint fail to be resolved through the independent recourse mechanism, you may file a complaint with your data protection authority which will raise the matter with the U.S. Department of Commerce. Should your complaint still fail to be resolved, you may have a right to invoke binding arbitration. Please contact Caris as detailed above for more information; and
- Caris has committed to cooperate with EU data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning HR PI transferred to the U.S. from E.U. Members and/or Switzerland in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from Caris, or if Caris has not addressed your complaint to your satisfaction, please contact the EU DPAs or FDPIC for more information or to file a complaint. The services of EU DPAs and FDPIC are provided at no cost to you. Should your complaint fail to be resolved by the EU DPAs or FDPIC, you may have a right to invoke binding arbitration. Please contact Caris as detailed above for more information.