Privacy

Privacy Notice

Last updated: May 25, 2018

Contact details of the data controller/processor:

Blueprint Genetics Oy
VAT number: FI22307900
Address: Haartmaninkatu 8, 00290 Helsinki, Finland

 

Name of the person responsible for data protection:

Otto Levijärvi, Data Protection Officer
Address: Haartmaninkatu 8, 00290 Helsinki, Finland
Email: privacy@blueprintgenetics.com

 

Blueprint Genetics (“we”, “us”, “our”) is committed to respecting your privacy and protecting your personal data, which is any information that is capable of identifying you as an individual person. This Privacy Notice describes how we handle and protect your personal data and we will keep this Notice under regular review.

Blueprint Genetics processes various categories of personal data and depending on the context, we might act as a data controller or a data processor.

We refer to “you” in this Privacy Notice. To better understand what information is most relevant to you, see the following useful definitions.

Data subject definitions

Website users

When monitoring the use of our website, we act as a controller of your personal data. We collect certain information from our website using cookies. For more information, please see our Cookie Policy.

Patients

If you are a patient whose sample will be tested or has been tested by us for molecular diagnosis, we act as a processor of your personal data.

Patients who have consented to research use

If you are a patient and have given an informed consent for research use of your personal information, we act as your data controller.

Customers

If you are a customer or a representative of a customer of Blueprint Genetics, we act as your data controller.

Marketing contacts

If you are not a customer of ours but have provided us with your personal information for marketing purposes, we act as your data controller.

Job applicants

If you are interested in career opportunities at Blueprint Genetics and wish to find out more about our privacy practices in recruitment processes, please see our Job Applicant Privacy Notice at our Careers page.

If you are an employee or other staff member of Blueprint Genetics, this notice does not apply to you. Please contact Blueprint People Operations for the Employee Privacy Notice.

Patients

Our role and purpose

In diagnostic genetic testing, we process your personal data on behalf of the ordering healthcare facility. Our legal basis for processing your personal data is clinical diagnosis and the fulfillment of our customer contract. Your personal data has been provided by your healthcare facility.

If your primary reason for undergoing genetic testing is not medical diagnosis but scientific research, our legal basis for processing your personal information is your research consent. Otherwise the same privacy principles apply as in diagnostic testing.

Who is my data controller?

Your data controller is the healthcare facility that has referred your sample to be tested by us. In certain situations, there might be another processor between us and your healthcare facility, such as a referral laboratory. We process your personal information as instructed by your controller or another processor appointed by your controller.

What personal data is being processed?

This data may include:

  • Name
  • Date of birth
  • Gender
  • Ethnicity
  • Nationality
  • Medical information from your physician’s referral
  • Family history and relationships
  • Specimen identification number and equivalent identifiers
  • Identifiable genetic information
  • Email, phone number, address, fax number

How will you use my personal information?

We use your personal data only to the extent that is absolutely necessary to perform genetic testing and directly related activities, such as billing. Within our organization, access to your personal data is limited to personnel participating in the diagnostic process, customer service and, in certain situations, technical personnel. Unless explicitly authorized to do so, we will not use your personal data for any other purpose. When disclosing genetic findings on a general level, e.g. in public databases, we make sure that such findings are completely de-identified and no identifying information is ever revealed.

Is my personal data shared with third parties?

We use a limited number of sub-contractors who process your personal data (so-called sub-processors), such as data storage providers. Some of our sub-processors concern only certain healthcare facilities. For example, if your hospital has requested your test results to be delivered via fax, we may use an external faxing service for this. We evaluate our sub-processors carefully and always notify our customers of any new sub-contractors beforehand. Our sub-processors are committed to secure your privacy.

Unless explicitly authorized to do so, we will not share your personal data with anyone else, unless we are legally required to do so.

How is my privacy secured?

See section “Our data security” below.

Is my personal data transferred outside the European Economic Area?

If your healthcare facility is based in the European Economic Area: No.

If your healthcare facility is based outside the European Economic Area: Yes. In such situation, our legal basis for the transfer is the necessity for fulfilling our customer contract made in your interest, i.e. to deliver your test results to your healthcare facility.

How long is my data retained?

We retain the personal data processed by us as instructed by your controller.

How can I exercise my rights as a data subject?

If you wish to exercise your rights, such as your right of access or right to be forgotten, we ask you to contact your data controller. Should you contact us, we will assist your data controller with fulfilling your rights.

However, if you do want to complain about our use of personal data, please see the section “Complaints” at the bottom of this page.

Patients who have consented to research use

Our role and purpose

When undergoing genetic testing at Blueprint Genetics, you may give us an informed consent for the research use of your personal information. While we greatly appreciate research consent, it does in no way affect your diagnostic testing or further treatment. In such research setting, our legal basis for processing your personal data is your consent and scientific research. We act independently of your healthcare facility and we are your data controller.

What personal data is being processed?

We may process the same personal data as listed in section “Patients” above. The research data concerning you will be treated as confidential information and coded in such a way that your identity cannot be discovered without a key code in the possession of a Blueprint Genetics research physician.

What kind of research am I participating in?

The kind of research may depend on your consent, but generally, we may use your personal information in research of inherited genetic disorders. Such research benefits other patients and the whole scientific community and may result in new treatments for diseases that are currently untreatable.

Upon your consent, we may also contact you regarding research that might be beneficial for you personally, such as clinical trials.

Is my personal data shared with third parties or transferred outside the European Economic Area?

We may use certain sub-processors as described in section “Patients” above. Also, research projects in the field of genetics are often international and may involve various research groups or companies. Your coded research data may be processed by such research groups or companies, subject to confidentiality. Where necessary, it may also be processed outside the European Economic Area, in which situations we take the necessary actions to comply with the law.

How long is the data retained?

The data will be retained for 50 years.

How can I withdraw my consent?

You can withdraw your consent at any time by notifying us in writing.

How can I exercise my rights as a data subject?

See section “Your rights towards Blueprint Genetics as data controller and how to exercise them” below.

Customers

Our role and purpose

If you are a customer of ours, we collect certain personal data from you. Our legal basis for processing your data is the performance of your customer contract and our legitimate interest in managing our customer relationships, marketing and developing our business. We are your data controller.

What personal data is being processed?

This data may include:

  • Name
  • Email, phone number, address, fax number
  • Job title
  • Physician identification number or similar identifier
  • Ordering history
  • Participation in customer events

How will you use my personal information?

Generally, we use your personal information to process your orders and to fulfill your requests. Where appropriate, our representatives may contact you as part of conventional customer relationship management. We may send you certain notifications in email if consider these of great importance for you or your patients. Such notifications may relate to matters such as product, technology, pricing or reimbursement changes.

To improve our services, we may also use your personal information for our internal processes, such as marketing and sales reporting. We will not use you as a reference without your prior explicit consent.

Is my personal data shared with third parties?

We use a limited number of sub-contractors who process your personal data (so-called sub-processors), such as data storage providers, customer relationship management services and accounting services for billing purposes. Our sub-processors are committed to secure your privacy.

Unless authorized by you, we will not share your personal data with anyone else, unless we are legally required to do so.

Is my personal data shared with third parties or transferred outside the European Economic Area?

In certain situations, yes. Some of our cloud-based solutions may process customer information outside the European Economic Area. In such situation, we always have a legal basis for the transfer, such as Privacy Shield or standard contractual clauses.

How long is my data retained?

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected and as long as we maintain an active customer relationship with you or your healthcare facility. In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for customer personal data is 5 years from last customer activity.

How is my privacy secured?

See section “Our data security” below.

How can I exercise my rights as a data subject?

See section “Your rights towards Blueprint Genetics as data controller and how to exercise them” below.

Marketing contacts

Our role and purpose

We may collect certain personal data concerning you for marketing purposes. Typically, in such situation our legal basis for processing is your consent which you have given either directly to us or a third party, such as an event organization.

What personal data is being processed?

This data may include:

  • Name
  • Email, phone number, address, fax number
  • Job title
  • Participation in customer events

Data retention and other details of processing

Unless you become a customer of ours, our baseline retention period for marketing contact personal data is 5 years.

For other details of processing, the same principles apply as in the section “Customers” above.

Our data security

We implement appropriate technical and organizational measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Such measures take into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for your rights.

Such measures include, for example:

  • the pseudonymization and encryption of personal data, where possible
  • training our employees and other staff regularly
  • using confidentiality undertakings with our employees and partners
  • using backup systems
  • implementing function-specific data privacy and security practices
  • physical safeguards
  • arranging third-party audits
  • encouraging our customers to use the safest possible methods for transferring personal data to us
  • regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Your rights towards Blueprint Genetics as data controller and how to exercise them

You have certain rights over your personal data and we are responsible for fulfilling these rights.

You have a right to:

  • request a copy of personal information we hold about you;
  • ask that we update the personal information we hold about you, or correct such personal information that you think is incorrect or incomplete;
  • ask that we delete personal information that we hold about you, or restrict the way in which we use such personal information;
  • forbid us to process of your personal information; and/or
  • withdraw your consent to our processing of your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing).

If you would like to exercise these rights or understand if these rights apply to you, please contact us by sending an email.

Complaints

We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to privacy@blueprintgenetics.com.  We will look into and respond to any complaints we receive without undue delay, however no later than within 30 days.

You also have the right to lodge a complaint with the The Office of the Data Protection Ombudsman (the Finnish data protection regulator).  For further information on your rights and how to complain to the Ombudsman, please visit https://tietosuoja.fi/en/home .

Notice of Privacy Practices                               

May 25, 2018

 

YOUR INFORMATION. YOUR RIGHTS. OUR RESPONSIBILITIES.

 

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Your Rights

You have the right to:

  • Get a copy of your paper or electronic medical record
  • Correct your paper or electronic medical record
  • Request confidential communication
  • Ask us to limit the information we share
  • Get a list of those with whom we’ve shared your information
  • Get a copy of this privacy notice
  • Choose someone to act for you
  • File a complaint if you believe your privacy rights have been violated

Your Choices

You have some choices in the way that we use and share information as we:

  • Tell family and friends about your condition
  • Share information in a disaster relief situation

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

Our Uses and Disclosures

We may use and share your information as we:

  • Perform testing services
  • Run our organization
  • Bill for your services
  • Do research
  • Comply with the law
  • Respond to lawsuits and legal actions

Your Rights

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

Get an electronic or paper copy of your medical record

  • You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
  • We will provide a copy or a summary of your health information, usually within 30 days of your request.

Ask us to correct your medical record

  • You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.
  • We may say “no” to your request, but we’ll tell you why in writing within 60 days.

Request confidential communications

  • You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
  • We will say “yes” to all reasonable requests.

Ask us to limit what we use or share

  • You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
  • If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information

  • You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
  • We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you

  • If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
  • We will make sure the person has this authority and can act for you before we take any action.

File a complaint if you feel your rights are violated

  • You can complain if you feel we have violated your rights by contacting us.
  • You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.
  • We will not retaliate against you for filing a complaint.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.

In these cases, you have both the right and choice to tell us to:

  • Share information with your family, close friends, or others involved in your care
  • Share information in a disaster relief situation
  • Include your information in a hospital directory

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases we never share your information unless you give us written permission:

  • Marketing purposes
  • Sale of your information
  • Most sharing of psychotherapy notes

Our Uses and Disclosures

HOW DO WE TYPICALLY USE OR SHARE YOUR HEALTH INFORMATION?

We typically use or share your health information in the following ways.

Deliver test results

We can share your health information with professionals who are treating you.

Run our organization

We can use and share your health information to run our operations, improve our testing, and contact you when necessary.

Example: We use health information about you to manage your services.

Bill for your services

We can use and share your health information to bill and get payment from health plans or other entities.

Example: We give information about you to your health insurance plan so it will pay for your services.

 

HOW ELSE CAN WE USE OR SHARE YOUR HEALTH INFORMATION?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.

Help with public health and safety issues

We can share health information about you for certain situations such as:

  • Reporting adverse reactions to medications
  • Reporting suspected abuse, neglect, or domestic violence
  • Preventing or reducing a serious threat to anyone’s health or safety

Do research

We can use or share your information for health research.

Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Work with a medical examiner

We can share health information with a coroner or medical examiner when an individual dies.

Address workers’ compensation, law enforcement, and other government requests

We can use or share health information about you:

  • For workers’ compensation claims
  • For law enforcement purposes or with a law enforcement official
  • With health oversight agencies for activities authorized by law
  • For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.

Disclosures to Business Associates

We may disclosure your health information to other companies or individuals that need the information to provide services for us. These other entities, known as “business associates,” are required to maintain the privacy and security of your health information. For example, we may use a company to perform billing services on our behalf.

Our Responsibilities

  • We are required by law to maintain the privacy and security of your protected health information.
  • We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
  • We must follow the duties and privacy practices described in this notice and give you a copy of it.
  • We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.

Changes to the Terms of this Notice

We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our web site.

 

Privacy Contact:
privacy@blueprintgenetics.com

Last modified: 07.30.2018