Privacy Notice

Last updated: October 11, 2021

Contact details of the data controller/processor:

Blueprint Genetics Oy
VAT number: FI22307900
Address: Keilaranta 16 A-B, 02150 Espoo

Contact details of the Data Protection Officer:

Address: Keilaranta 16 A-B, 02150 Espoo, Finland
Email: privacy@blueprintgenetics.com

Blueprint Genetics (“we”, “us”, “our”) is committed to respecting your privacy and protecting your personal data, which is any information that is capable of identifying you as an individual person. This Privacy Notice describes how we handle and protect your personal data and we will keep this Notice under regular review.

Blueprint Genetics processes various categories of personal data and depending on the context, we might act as a data controller or a data processor.

We refer to “you” in this Privacy Notice. To better understand what information is most relevant to you as a data subject, see the following useful definitions.

Data subject definitions

Patients

If you are a patient whose sample will be tested or has been tested by us for molecular diagnosis, we act as a processor of your personal data.

Patients who have consented to research use

If you are a patient and have given an informed consent for research use of your personal information, we act as your data controller.

Customers

If you are a customer or a representative of a customer of Blueprint Genetics, we act as your data controller.

Marketing contacts

If you are not a customer of ours but have provided us with your personal information for marketing purposes, we act as your data controller.

Job applicants

If you are interested in career opportunities at Blueprint Genetics and wish to find out more about our privacy practices in recruitment processes, please see our Job Applicant Privacy Notice at our Careers page.

If you are an employee, staff member, corporate officer or advisor of Blueprint Genetics, this notice does not apply to you. Please contact Blueprint People Operations for the relevant privacy notice.

Website users

We collect certain information, such as device-related information and analytical information via our website by using cookies. We act as your data controller for such personal data. For more information, please see our Cookie Policy.

Patients

Our role and purpose

In diagnostic genetic testing, we process your personal data on behalf of the ordering healthcare facility (or similar). The legal basis for processing your data has been determined by your healthcare facility. Your personal data has been provided by your healthcare facility.

Who is my data controller?

Your data controller is the healthcare facility (or similar) that has referred your sample to be tested by us. In certain situations, there might be another processor between us and your healthcare facility, such as a referral laboratory. We process your personal information as instructed by your controller or another processor appointed by your controller.

What personal data is being processed?

This data may include:

• Name
• Date of birth
• Gender
• Ethnicity
• Nationality
• Medical information from your physician’s referral
• Family history and relationships
• Specimen identification number and equivalent identifiers
• Identifiable genetic information
• Email, phone number, address, fax number

How will you use my personal information?

We use your personal data only to the extent that is absolutely necessary to perform genetic testing and directly related activities, such as billing. Within our organization, access to your personal data is limited to personnel participating in the diagnostic process, customer service and, in certain situations, technical personnel. Unless explicitly authorized to do so, we will not use your personal data for any other purpose.

When disclosing scientific genetic findings on a general level, e.g. in public databases, we make sure that such findings are anonymous and no identifying information is ever revealed. We accumulate population-level scientific variant information in our testing process to improve the understanding of gene-disease associations for the benefit of all patients and the clinical community. Such information is statistical in nature and does not contain any personal data.

Is my personal data shared with third parties?

We use a limited number of sub-contractors who process your personal data (so-called sub-processors), such as data storage providers. Some of our sub-processors concern only certain healthcare facilities. For example, if your hospital has requested your test results to be delivered via fax, we may use an external faxing service for this. We evaluate our sub-processors carefully and always notify our customers of any new sub-contractors beforehand. Our sub-processors are committed to secure your privacy.

Unless explicitly authorized to do so, we will not share your personal data with anyone else, unless we are legally required to do so.

How is my privacy secured?

See section “Our data security” below.

Is my personal data transferred outside the European Economic Area?

If your healthcare facility is based in the European Economic Area: No.

If your healthcare facility is based outside the European Economic Area: Yes. In such situation, we make sure to comply with all legal requirements for international transfers.

How long is my data retained?

We retain the personal data processed by us as instructed by your data controller. In the absence of any other instructions, the personal data concerning you will be deleted after 20 calendar years.

How can I exercise my rights as a data subject?

If you wish to exercise your rights, such as your right of access or right to be forgotten, we ask you to contact your data controller, which is the ordering healthcare facility (or similar). Should you contact us, we will assist your data controller with fulfilling your rights.

However, if you do want to complain about our use of personal data, please see the section “Complaints” at the bottom of this page.

Patients who have consented to research use

Our role and purpose

When undergoing genetic testing at Blueprint Genetics, you may give us an informed consent for the research use of your personal information. While we greatly appreciate research consent, it in no way affects your diagnostic testing or further treatment. In such a research setting, our legal basis for processing your personal data is your consent and scientific research. We act independently of your healthcare facility and we are your data controller.

What personal data is being processed?

We may process the same personal data as listed in section “Patients” above. The research data concerning you will be treated as confidential information and coded in such a way that your identity cannot be discovered without a key code in the possession of a Blueprint Genetics research physician.

What kind of research am I participating in?

The kind of research may depend on your consent, but generally, we may use your personal information in research of inherited genetic disorders. Such research benefits other patients and the whole scientific community and may result in new treatments for diseases that are currently untreatable.

Upon your consent, we may also contact you regarding research that might be beneficial for you personally, such as clinical trials.

Is my personal data shared with third parties or transferred outside the European Economic Area?

We may use certain data processors as described in section “Patients” above. Also, research projects in the field of genetics are often international and may involve various research groups or companies. Your coded research data may be processed by such research groups or companies, subject to confidentiality. Where necessary, it may also be processed outside the European Economic Area, in which situations we take the necessary actions to comply with the law.

How long is the data retained?

The data will be retained in accordance with your research consent and for a maximum of 50 years.

How can I withdraw my consent?

You can withdraw your consent at any time by notifying us in writing.

How can I exercise my rights as a data subject?

See section “Your rights towards Blueprint Genetics as data controller and how to exercise them” below.

Customers

Our role and purpose

If you are a customer of ours, we collect certain personal data from you. Our legal basis for processing your data is the performance of your customer contract, our legal obligations and our legitimate interest in managing our customer relationships, marketing and developing our business. We are your data controller.

What personal data is being processed?

This data may include:

• Name
• Email, phone number, address, fax number
• Job title
• Physician identification number or similar identifier
• Ordering history
• Participation in customer events

How will you use my personal information?

Generally, we use your personal information to process your orders and to fulfill your requests. Where appropriate, our representatives may contact you as part of conventional customer relationship management. We may send you certain notifications in email if consider these of great importance for you or your patients. Such notifications may relate to matters such as product, technology, pricing or reimbursement changes.

To improve our services, we may also use your personal information for our internal processes, such as marketing and sales reporting.

Is my personal data shared with third parties?

We use a limited number of sub-contractors who process your personal data (so-called sub-processors), such as data storage providers, customer relationship management services and accounting services for billing purposes. Our sub-processors are committed to secure your privacy.

Unless authorized by you, we will not share your personal data with anyone else, unless we are legally required to do so.

Is my personal data shared with third parties or transferred outside the European Economic Area?

In certain situations, yes. Some of our cloud-based solutions may process customer information outside the European Economic Area. In such situations, we always ensure that the transfer of your personal data is protected with appropriate safeguards in accordance with applicable privacy laws.

How long is my data retained?

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected and as long as we maintain an active customer relationship with you or your healthcare facility. In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for customer personal data is 5 years from last customer activity. Please note that we will not delete customers’ personal data as long as we retain their patients’ personal data in the capacity of data processor.

How is my privacy secured?

See section “Our data security” below.

How can I exercise my rights as a data subject?

See section “Your rights towards Blueprint Genetics as data controller and how to exercise them” below.

Marketing contacts

Our role and purpose

We may collect certain personal data concerning you for marketing purposes. In such situation our legal basis for processing is s our legitimate interest to market out services, or your consent which you have given either directly to us or a third party, such as an event organization.

What personal data is being processed?

This data may include:

• Name
• Email, phone number, address, fax number
• Job title
• Participation in customer events

Data retention and other details of processing

Unless you become a customer of ours, our baseline retention period for marketing contact personal data is 5 years. Where we process your data based on consent, you may withdraw such a consent at any time.

For other details of processing, the same principles apply as in the section “Customers” above.

Our data security

We implement appropriate technical and organizational measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Such measures take into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for your rights.

Such measures include, for example:

• the pseudonymization and encryption of personal data, where possible
• training our employees and other staff regularly
• using confidentiality undertakings with our employees and partners
• using backup systems
• implementing function-specific data privacy and security practices
• physical safeguards
• arranging third-party audits
• encouraging our customers to use the safest possible methods for transferring personal data to us
• regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Your rights towards Blueprint Genetics as data controller and how to exercise them

You have certain rights over your personal data and we are responsible for fulfilling these rights.

You have a right to:

• request a copy of personal data we hold about you;
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
• ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data;
• request the personal data you have provided to us in a structured and commonly used format;
• object to the processing of your personal data under certain circumstances; and/or
• withdraw your consent to our processing of your personal data (to the extent such processing is based on consent and consent is the only permissible basis for processing).

If you would like to exercise these rights or understand if these rights apply to you, please contact us by sending an email to privacy@blueprintgenetics.com.

Complaints

We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to privacy@blueprintgenetics.com.  We will look into and respond to any complaints we receive without undue delay, however no later than within 30 days.

You also have the right to lodge a complaint with the The Office of the Data Protection Ombudsman (the Finnish data protection regulator).  For further information on your rights and how to complain to the Ombudsman, please visit https://tietosuoja.fi/en/home .