EEA and UK Website Privacy Notice
Effective: June 30, 2023
EEA and UK Website Privacy Notice (“EEA Terms”)
Who is responsible for the processing of my personal data?
For the processing of your personal data as described in this EEA and UK Website Privacy Notice, the controller within the meaning of the GDPR and the UK Data Protection Act is Foundation Medicine, Inc., 150 Second Street, Cambridge, MA 02141, USA.
What personal data will be collected? For which purposes and on which legal basis will my data be processed?
For the purpose of this EEA and UK Website Privacy Notice "personal data" means any information related to you as an identified or identifiable natural person.
In general, you can visit our Website without telling us who you are and without actively revealing any of your personal data. In this case, we will only collect and process certain information about Website access that is automatically collected when you connect to our Website, such as your IP address and other related data. Please see below for details.
Our Website collects certain personal data automatically when you visit our Website. The information collected may include browser type and version, operating systems used by your accessing system, the website from which an accessing system reaches our Website (the referrer URL), hostname of accessing system, date and time of server request, IP address of accessing system, name of the requested file, access status (file transmitted, not found, etc.), and size of data transferred.
These types of data will be automatically submitted from your browser to Foundation Medicine and be stored in server log files when you access our Website. We generally process the relevant data for the duration of your session to enable the technical delivery of our Website’s content and features to your device. Additionally, the data will be stored by us in log files for a period of time for purposes of technical security of our Website, in particular to protect us against attempts to attack our web server. We may provide law enforcement authorities with the information necessary for criminal prosecution, such as in case of a cyber-attack or misuse of our Website. The log file data is stored separately from any other personal data that you provide to us.
The data is deleted thereafter, or anonymized by shortening the IP address, so that it is no longer possible to draw any conclusion to the identity of an individual user of our Website. We analyze and use the data in anonymized form for internal statistical purposes, and to optimize the content, features, and security of our Website.
Foundation Medicine processes your personal data on the basis of its legitimate interests in operating our Website, ensuring the efficiency and security of the Website, improving and maintaining site functionality, and establishing, exercising and defending our legal claims (Art. 6(1) lit. f) GDPR).
Contact via Website
Our Website offers the possibility to contact us, including via the contact details set out on the Website. In this case, we collect certain of your personal data which you reveal to us in the context of your communication. This may include your name, address, and/or email address, the topic and content of your request, inquiry or other communication, and any other personal data disclosed to us in the course of your contact, including potentially any health data disclosed by you. Except as set out otherwise in this EEA and UK Website Privacy Notice, we will process the personal data solely for purposes of handling your request, inquiry or communication, such as responding to your inquiry or providing you with the required information. The processing of your personal data is based on the necessity of the processing for purposes of our legitimate interests in ensuring an efficient communication and processing of any requests or inquiries, in ensuring and documenting compliance with our legal obligations, and in establishing, exercising and defending our legal claims (Art. 6(1) lit. f GDPR).
HCP / Patient Account
In order to enable you to access and use certain services offered through our Website ("Portal Services"), we will ask you to create an account. To create this account, we will collect certain personal information from you, including your name, email, and the work role pursuant to which you are registering an account with us. We will only store and use this information as well the data that we collect from you in connection with the use of the Portal Services ("Account Data") to provide to you such services in accordance with the terms of the end user license agreement (“EULA”) you will be required to agree to prior to accessing and using the Portal Services.
Complying with our Obligations and Exercising Our Rights
We may use your personal data on the basis of our legitimate interests to establish, exercise and defend our legal rights where it is necessary to do so, for example to detect, prevent and respond to misuse of our Website or to protect ourselves against claims (Art. 6(1) lit. f) GDPR). We may further process your personal data to the extent necessary to comply with our legal or regulatory requirements, where this is required by law, for example for documenting and reporting product complaints and safety issues, complying with data retention obligations or other regulatory requirements (Art. 6(1) lit. c) GDPR).
Who will my personal data be disclosed to?
Will my data be processed in countries outside the EU/EEA?
How long will my data be stored?
We retain your personal data for as long as needed for the purpose the data was collected and further processed, in accordance with our data retention policy (which sets forth data retention periods and deletion routines in accordance with applicable law). Please see below on further details on how long we store certain data categories collected under this EEA and UK Website Privacy Notice.
- Data about Website Access (Log Files): The data about website access collected in the context of your use of our Website will generally be completely deleted or anonymized by shortening your IP address once it is no longer needed for the purposes described in this EEA and UK Website Privacy Notice unless the data is required for complying with statutory obligations or the establishments, exercise or defense of legal claims.
- Contact and Communication Data: Any personal data disclosed to us in the context of a contact, such as an inquiry, the request for information or any other communication will generally be stored by Foundation Medicine only for as long as necessary for the complete processing and handling of your request or inquiry, except when longer storage is necessary to achieve the further purposes described in this EEA and UK Website Privacy Notice.
- Account Data: We generally store your Account Data until you delete your account for the Portal Services. In addition, we store the data to the extent necessary for the complete execution of the EULA.
Your personal data will be deleted thereafter, except where any further storage is necessary to comply with our legal obligations, in particular any applicable data retention obligations or for the establishment, exercise or defense of our legal claims (such the need to retain records in order to resolve disputes and investigate or defend against potential claims).
Which rights do I have?
Subject to applicable data protection laws of the member states of the EU/EEA and the UK, including the GDPR and the UK Data Protection Act, you have the right:
- to obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access);
- to obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification);
- if there are legitimate reasons, to request the deletion of your personal data (right to erasure; right to be forgotten);
- to request the restriction of the processing of your personal data, if the legal requirements are met (right to restriction of processing);
- if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by Foundation Medicine (right to data portability); and
- not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met. An automated decision-making process is not carried out by Foundation Medicine.
You also have the right to object, subject to applicable local law, to the processing of personal data which is necessary for the purposes of our legitimate interests at any time on grounds relating to your particular situation (right to object).
If the data processing is based on consent, you can withdraw the consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until its withdrawal. If you withdraw your consent, we might still need to process certain personal data relating to you to comply with a legal obligation (for example, to provide you important safety information) or to pursue a legitimate business interest.
To exercise your rights (including the withdrawal of your consent), as well as in the event of questions regarding the processing of your personal data, please contact us at any time using the contact details below.
If you are a resident of the European Union (“EU”), you may also lodge a complaint with the relevant supervisory authority if you consider that our processing of your personal information infringes applicable law. Contact details for all EU Supervisory Authorities can be found here.
If you have questions about our privacy practices, or wish to request this information in a different format, please contact us at the following:
Foundation Medicine GmbH
Attn: Data Protection Officer
Nonnenwald 2, Building 433
D-82377 Penzberg, Germany