Last updated: March 9, 2022
This Testing Program Privacy Notice (the “Notice”) describes how your personal data is processed in the FGFR3 Sponsored Testing Program (the “Program”). Blueprint Genetics Oy (“Blueprint Genetics”) and BioMarin International Limited (“BioMarin”) are in a joint controller relationship to jointly determine the means of such processing. Blueprint Genetics acts as the point of contact for all program participants.
Blueprint Genetics and BioMarin (collectively “we”, “us”, “our”) are committed to respecting your privacy and protecting your personal data, which is any information that is capable of identifying you as an individual person.
We keep this Notice under regular review. Please note that this Notice only applies to personal data that is processed jointly by Blueprint Genetics and BioMarin for the purposes of the Program. For other categories of personal data processed by Blueprint Genetics, including the clinical report and general customer information, please see the General Privacy Notice.
We refer to “you” in this Notice. This Notice has differing sections for patients and healthcare providers, and depending on your role, different rules and practices may apply.
Contact details of the joint controllers:
Blueprint Genetics Oy
VAT number: FI22307900
Address: Keilaranta 16 A-B, 02150 Espoo
Contact details of the Data Protection Officer:
Address: Keilaranta 16 A-B, 02150 Espoo, Finland
Patients: Data we process and what we use it for
For the purposes of the Discover DysplasiasTM Program we process the following data about you:
- Year of birth
- Residency country
- Details on your genetic findings (your relevant genetic variation(s) and their possible connection to a clinical condition, as presented in your clinical report)
- Sample ID, a random code assigned to your sample by Blueprint Genetics
- Details of the healthcare provider who has ordered your test
Your personal data has been provided by your healthcare provider.
Blueprint Genetics will share no other data about you with BioMarin. Your clinical report and other data will be shared with your healthcare provider, and these are covered by Blueprint Genetics’ General Privacy Notice.
Blueprint Genetics uses your personal data to the extent necessary to run the Program and to provide the test results to the ordering clinician. In addition, an anonymized summary of results from your test may be used by Blueprint Genetics in scientific publications and presentations and/or in DNA variant databases in order to improve the understanding, diagnostics, and treatment of similar clinical conditions. No identifying or identified personal data will ever be presented. BioMarin may collaborate with Blueprint Genetics for these publications.
BioMarin will only use your personal data for the purpose of research and improving the services provided by Blueprint Genetics.
Our legal basis for processing your data is your consent, as provided on the General Form.
Ordering healthcare providers: Data we process and what we use it for
For the purposes of the Discover DysplasiasTM Program, we process the following data about you:
- Contact information
Your personal data has been provided to us by you or another individual in your organization that has placed the test order on your behalf.
We use your data for the following purposes:
- To the extent necessary for running the Program and to providing you the sponsored services.
- To promote genetic testing for timely diagnosis of genetic skeletal dysplasia.
- To contact you about events and services that may be relevant for you in the future.
Our legal bases for processing your data are the contract between you or your organization (Program Terms) and our legitimate interest in running the Program.
Is my personal data shared with third parties?
We use a limited number of third-party service providers who process your personal data per our instructions (data processors), such as data storage providers. We evaluate our data processors carefully and they are committed to secure your privacy. In addition, both Blueprint Genetics and BioMarin may share your data with companies belonging to their same groups of companies, when there is an operational need to do so.
Unless explicitly authorized to do so, we will not share your personal data with anyone else, unless we are legally required to do so.
Is my personal data transferred outside the European Economic Area?
We may transfer your data outside the European Economic Area. When doing so, we always ensure that the transfer of your personal data is protected with appropriate safeguards in accordance with applicable privacy laws.
How long is my data retained?
Unless otherwise required by applicable laws, your personal data will be retained for a maximum of 25 years.
Our data security
We implement appropriate technical and organizational measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Such measures take into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for your rights.
Such measures include, for example:
- the pseudonymization and encryption of personal data, where possible
- training our employees and other staff regularly
- using confidentiality undertakings with our employees and partners
- using backup systems
- implementing function-specific data privacy and security practices
- physical safeguards
- arranging third-party audits
- encouraging our customers to use the safest possible methods for transferring personal data to us
- regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Your rights and how to exercise them
You have certain rights over your personal data and we are responsible for fulfilling these rights.
You have a right to:
- request a copy of personal data we hold about you;
- ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
- ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data;
- request the personal data you have provided to us in a structured and commonly used format;
- object to the processing of your personal data under certain circumstances; and/or
- withdraw your consent to our processing of your personal data (to the extent such processing is based on consent and consent is the only permissible basis for processing).
If you would like to exercise these rights or understand if these rights apply to you, please contact us by sending an email to firstname.lastname@example.org.
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to email@example.com. We will look into and respond to any complaints we receive without undue delay, however no later than within 30 days.
You also have the right to lodge a complaint with the The Office of the Data Protection Ombudsman (the Finnish data protection regulator). For further information on your rights and how to complain to the Ombudsman, please visit https://tietosuoja.fi/en/home . You also have the right to lodge a complaint with your local data protection authority.