DataFirst Corporation Privacy Shield Notice
Effective Date: January 10, 2019
Last Updated: March 5, 2020
DataFirst Corporation (“DataFirst”) has certified certain services, for which we act as a service provider for customers in the European Economic Area (“EEA”), the United Kingdom, and Switzerland, under the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
We provide this Notice to describe and explain the measures we take to protect the privacy of data subjects in the EEA, the United Kingdom, and Switzerland and to comply with applicable law and our obligations under the Privacy Shield Frameworks.
DataFirst’s Participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
DataFirst provides data migration services to customers (typically healthcare providers) in the EEA, the United Kingdom, and Switzerland that involve converting and migrating data between computer systems (such services, “Data Migration Services”). This Notice, and DataFirst’s Privacy Shield certifications, apply only to these Data Migration Services.
DataFirst complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (together, the “Privacy Shield Frameworks”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the EEA, the United Kingdom, and Switzerland to the United States in connection with its performance of Data Migration Services. DataFirst has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to its provision of these Data Migration Services.
DataFirst commits to subject to the Privacy Shield Principles all personal data from EEA, the United Kingdom, and Switzerland that it receives or to which it is given access in reliance on the Privacy Shield Frameworks.
If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
The Federal Trade Commission has jurisdiction over DataFirst’s compliance with the Privacy Shield Frameworks.
Types of Data Processed and Purposes of Processing
When performing Data Migration Services, DataFirst may be given access to data, including personal data, which is stored on computer systems maintained and operated by customers (such data, “Migration Services Data”). While the customer decides what data will be processed Migration Services Data typically include data about the customer’s patients, including medical images and related medical records that may include sensitive information about those patients’ health status, medical assessments, and test results.
During the performance of Data Migration Services, all Migration Services Data to which DataFirst may be given access remains on systems located at the customer’s facilities. DataFirst personnel in the United States may access Migration Services Data through a remote connection to the customer’s systems to (a) perform data conversion and migration services; (b) provide troubleshooting and support for issues arising during data conversion and migration; and (c) confirm successful conversion and data migration.
DataFirst may also receive basic business contact information pertaining to customer personnel in the EEA or Switzerland with whom we work to perform Data Migration Services (such information, “Customer Contact Data”). Customer Contact Data may include name, business email address, mailing address, and business telephone number. DataFirst uses Customer Contact Data to coordinate the performance of data conversion and migration services and to manage and respond to related customer requests for service or support.
In performing Data Migration Services, DataFirst acts as a data processor for the customer (who acts as the data controller), or as a sub-processor for the customer’s other service providers. DataFirst processes Migration Services Data and Customer Contact Data pursuant to the customer’s instructions and in accordance with contractual agreements between DataFirst and the customer or the customer’s other service providers.
Disclosures of Migration Services Data and Customer Contact Data to Third Parties
DataFirst may disclose Customer Contact Data to a limited number of third-party service providers who acts as our agents to assist in our performance of Data Migration Services. DataFirst maintains contracts with these service providers that restrict their access, use, and disclosure of personal data and that require them to provide at least the same level of protection as required by the Privacy Shield Principles. DataFirst is responsible for these service providers’ compliance with these obligations, and shall remain liable under the Privacy Shield Principles if they process such personal data in a manner inconsistent with the Principles.
In addition, DataFirst may be required to disclose Migration Services Data and Customer Contact Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Access and Choice
Individuals in the EEA, the United Kingdom, and Switzerland have a right to access personal data about them, and to limit the use and disclosure of their personal data. As part of its certification to the Privacy Shield Frameworks, DataFirst is committed to respecting those rights.
DataFirst acts as service provider to customers in the EEA, the United Kingdom, and Switzerland with respect to Migration Services Data and Customer Contact Data and is subject to strict contractual limitations on its ability to disclose that personal data to third parties or to use that personal data for purposes other its performance of Data Migration Services. For these reasons, DataFirst assumes that the customers from who it receives Data Migration Services or Customer Contact Data will provide these individuals a means to access any personal data about them, and to request that their personal data be corrected, amended, or deleted. DataFirst further assumes that customers obtain from these individuals appropriate consent to transfer their personal data to us and for us to process their personal data consistent with this Notice and our agreements with those customers or their service providers.
If you are an individual who believes your personal data is included in Migration Services Data or Customer Contact Data that we process on behalf of a customer in the EEA or Switzerland and would like to exercise your rights of access or choice, please contact that customer directly. Alternatively, you may contact DataFirst in accordance with the “Inquiries and Complaints” section of this Notice, in which case you should provide the name of the customer in the EEA or Switzerland who acts as the controller for your personal data. We will refer your request to that customer and will support them as needed in responding to your request.
Inquiries and Complaints
In compliance with the Privacy Shield Principles, DataFirst commits to resolve complaints about our handling of personal data in the EEA, the United Kingdom, and Switzerland to which we are given access in reliance on the Privacy Shield Frameworks. Individuals in the EEA, the United Kingdom, and Switzerland with inquiries or complaints regarding this Notice or our privacy practices should first contact DataFirst by sending an email to firstname.lastname@example.org or by regular mail to the attention of:
2700 Sumner Blvd.
Raleigh, NC 27616
DataFirst has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States who DataFirst has designated to provide appropriate recourse to individuals free of charge. If you do not receive timely acknowledgement of your complaint from us, or if we have not resolved your complaint, please contact JAMS using the information provided at https://www.jamsadr.com/eu-us-privacy-shield.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance that are not resolved by any of the other Privacy Shield mechanisms. For additional information about the arbitration process please see Annex I of the Privacy Shield: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.