Imprivata Privacy Shield Policy
This Privacy Shield Policy (“Policy”) applies to Imprivata, Inc., Ground Control, Inc., FairWarning, LLC, and SecureLink, Inc., which have all been integrated into Imprivata, Inc. This Policy was last updated on December 23, 2022 and supplements our Imprivata Privacy Policy (“Imprivata Policy”).
1. What does this Policy cover?
Imprivata complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as outlined by U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) that is transferred from European Union member countries and Switzerland to the United States. If there is any conflict between the policies outlined in this Policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield Framework, and to view our certification page, please visit https://www.privacyshield.gov/.
As the Privacy Shield Framework only applies to Personal Data transferred from European Union member countries and Switzerland, this Policy only applies to Personal Data transferred from European Union member countries and Switzerland to our operations in the United States.
Although European courts and regulators invalidated the Privacy Shield Framework as a transfer mechanism to support transfers of Personal Data from European Union member countries and Switzerland to the United States, Imprivata is committed to protecting all Personal Data received from such countries in accordance with the Frameworks’ applicable Principles (as set forth below).
All employees of Imprivata that have access to Personal Data covered by this Policy are responsible for conducting themselves in accordance with this Policy. Personal Data covered by this Policy shall not be collected, used, or disclosed in a manner contrary to this Policy without proper written permission from Imprivata’s legal department.
2. What terms do I need to know to understand this policy?
“Data subject” means an identifiable natural person who can be identified, directly or indirectly, by Personal Data supplied to Imprivata.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
“Sensitive Personal Data” mean Personal Data regarding a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric or genetic data used to uniquely identify a data subject, physical or mental health, criminal record, or sexual orientation or life.
3. How does Imprivata comply with Privacy Shield?
Imprivata commits to subject all Personal Data covered by this Policy to the Privacy Shields’ Principles in accordance with the respective Privacy Shield Framework. Information about each of the Privacy Shield’s Principles, and how Imprivata complies with each, can be found below.
- Notice
Imprivata notifies Data Subjects covered by this Policy about our data practices regarding Personal Data received in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework. The information we provide to Data Subjects includes the types of Personal Data we collect about them, the purposes for which we collect and use such Personal Data, the types of third parties to which we disclose such Personal Data and the purposes for which we do so, the rights of Data Subjects to access their Personal Data, the choices and means that we offer for limiting our use and disclosure of such Personal Data, how our obligations under the Privacy Shield are enforced, and how Data Subjects can contact us with any inquiries or complaints.
- Choice
If Personal Data is (a) disclosed to a third party not identified at the time of data collection or (b) used for a purpose other than that which it was originally collected for, Imprivata will provide Data Subjects with an opportunity to choose whether to have their Personal Data so disclosed or used. Imprivata’s employees are responsible for providing proper notification to Data Subjects when they have the right to opt out of such disclosures or uses.
- Accountability for Onward Transfer
In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as a controller, we will do so only if the third party has provided us with contractual assurances that it will (a) process the Personal Data for limited and specified purposes consistent with the consent provided by the Data Subject; (b) provide the same level of protection as is required by the Privacy Shield Principles; and (c) notify us if they can no longer meet this obligation.
As more fully set forth in the Imprivata Policy, in the conduct of Imprivata’s business operations, we may share Personal Data with attorneys, consultants, human resources providers, payroll providers, and other service providers contracted to provide services for the activities, delivery, and management of Imprivata products and services.
Imprivata may disclose Personal Data to approved third party data processors retained or contracted by Imprivata such as business partners and subcontractors, including, without limitation, affiliates, vendors, service providers and suppliers. We may share certain Personal Data with third parties who conduct marketing studies and data analytics, including those that provide tools or code which facilitates our review and management of our web site and services, such as Google Analytics or similar software products from other providers.
Except to the extent agreed by you, Imprivata may be required to share Personal Data as required or permitted by law, regulation, legal process, court order, bankruptcy or other legal requirement, or when we believe in our sole discretion that disclosure is necessary or appropriate, to respond to an emergency or to protect our rights, protect your safety or the safety of others, investigate fraud, comply with a judicial proceeding or subpoenas, court order, law-enforcement or government request, including without limitation to meet national security or law enforcement requirements, or other legal process and to enforce our agreements, policies and terms of use. Other than the aforementioned exceptions, the use and disclosure of all transferred Personal Data will be subject to this Policy.
In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as an agent, we will do so only if the third party has provided us with contractual assurances that it will (a) transfer the Personal Data for limited and specified purposes; (b) provide the same level of protection that is required by the Privacy Shield Principles; (c) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with our obligations under the Privacy Shield Principles; (d) and require the agent to notify us if it makes a determination that it can no longer meet its obligations to provide the same level of protection as required by the Privacy Shield Principles. If we receive such a notice, we will (a) take reasonable and appropriate steps to stop and remediate any authorized processing and (b) provide a summary or copy of the relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce, if requested.
Imprivata remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Policy in a manner inconsistent with the Principles, except where we are not responsible for the event giving rise to the damage. Additionally, we may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
- Security
Imprivata takes reasonable and appropriate measures to protect Personal Data covered by this Policy from loss, misuse, unauthorized access, disclosure, alteration and destruction. While Imprivata cannot guarantee the security of Personal Data, we are committed to safeguarding all Personal Data received from the EU and Switzerland.
- Data Integrity and Purpose Limitations
Imprivata only collects Personal Data covered by this Policy that is relevant for the purposes of processing. We do not process Personal Data that is incompatible with the purposes for which it was collected or authorized by the Data Subject. Additionally, Imprivata takes reasonable steps to ensure that any Personal Data that is collected is relevant to its intended use, accurate, complete and current.
Imprivata retains Personal Data in a form identifying or making identifiable a Data Subject only for as long as it serves a purpose of processing, which includes the performance of Services, obligations to comply with professional standards and legitimate business purposes. We will only request the minimum amount of Personal Data required to carry out these purposes and will adhere to the Privacy Shield Principles for as long as we retain Personal Data.
- Access
All Data Subjects have the right to access the Personal Data covered by this policy that Imprivata holds about them. Additionally, if Personal Data is inaccurate or has been processed in violation with the Privacy Shield Framework, Data Subjects have the right to access their Personal Data to correct it, amend it or delete it.
To request access to, or correction, amendment or deletion of, Personal Data, a Data Subject should contact us at: privacycommittee@imprivata.com. Imprivata will cooperate with all reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield, except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated.
- Recourse, Enforcement and Liability
Imprivata’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission. In compliance with the Privacy Shield Principles, Imprivata commits to resolve complaints about your privacy and our collection or use of your Personal Data.
EU and Swiss individuals with inquiries or complaints regarding this Policy should first contact: privacycommittee@imprivata.com.
Imprivata has further committed to cooperate with the panel established by the European Union data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland to the United States. If you do not receive timely acknowledgment of a complaint, or if we do not satisfactorily address your compliant, please visit the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint) for more information about how to contact your local DPA or the Swiss Commissioner.
In addition to the above dispute resolution mechanisms, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission, under certain conditions.
Imprivata agrees to periodically review and verify our compliance with the Privacy Shield Principles, and to remedy any issues that arise out of failure to comply with the Privacy Shield Principles. We acknowledge that failure to provide an annual self-certification to the U.S. Department of Commerce will remove Imprivata from the Department’s list of Privacy Shield participants.
4. What happens if Imprivata changes this Policy?
Imprivata may modify this Policy from time to time, consistent with changes to the requirements of the Privacy Shield Principles or Framework, or changes within our organization. If Imprivata changes this Policy, we will provide Data Subjects appropriate notice regarding such modifications by highlighting the change on our Site, or by emailing Data Subjects’ email addresses of record.
5. How can I contact Imprivata about this Policy?
Should you have any questions or concerns about this Policy or need to update certain Personal Data, please contact Imprivata at privacycommittee@imprivata.com.